edit-icon download-icon

[Vulnerability notice] CVE-2016-5195: Dirty copy-on-write (Dirty COW) vulnerability

Last Updated: Mar 19, 2018

Vulnerability identifier

CVE-2016-5195

Vulnerability name

Dirty copy-on-write (Dirty COW)

Vulnerability rating

High

Vulnerability description

After an attacker obtains the permissions of an unprivileged user by means of remote intrusion, the attacker can exploit this vulnerability for local elevation of privilege in a Linux-based server of any version to obtain the root privilege of the server.

Condition and method of exploitation

An attacker can exploit this vulnerability in the operating system after obtaining the permissions of an unprivileged user by means of remote intrusion.

Affected scope

  • All Linux operating systems with the Linux kernel 2.6.22 and later

    All Linux operating systems with the Linux kernel 2.6.22 released in 2007 and later releases until October 18, 2016 are affected.

    Run the uname –a command to check the kernel version of your Linux operating system, and to check if your system is affected. For example, you may get the following results:

    1. Linux AYxxxx 2.6.32-431.23.3.el6.x86_64 #1 SMP Thu Jul 31 17:20:51 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

    The kernel version 2.6.32-431.23.3.el6.x86_64 is affected.

    1. Linux AYxxxx 2.6.18-308.el5 #1 SMP Tue Feb 21 20:06:06 EST 2012 x86_64 x86_64 x86_64 GNU/Linux

    The kernel version 2.6.18-308.el5 is not affected.

  • The Alibaba Cloud Security Team has tested the Linux operating system images of ECS instances at the earliest time. The following table lists the impact details.

    Release Version Architecture Affected Official patch status Remarks
    CentOS 5.8 X64 Yes Released The patch can be installed by the default configurations of Alibaba Cloud.
    CentOS 5.1 i386/x64 Yes Released The patch can be installed by the default configurations of Alibaba Cloud.
    CentOS 6.5 i386/x64 Yes Released The patch can be installed by the default configurations of Alibaba Cloud.
    CentOS 7 X64 Yes Released The patch can be installed by the default configurations of Alibaba Cloud.
    CentOS 7.2 X64 Yes Released The patch can be installed by the default configurations of Alibaba Cloud.
    Ubuntu 12.04 i386/x64 Yes Released The patch can be installed by the default configurations of Alibaba Cloud.
    Ubuntu 14.04 i386/x64 Yes Released The patch can be installed by the default configurations of Alibaba Cloud.
    Debain 6.0.9 i386/x64 Yes None Maintenance discontinued. System upgrading is recommended.
    Debain 7.5.0 i386/x64 Yes Released The patch can be installed by the default configurations of Alibaba Cloud.
    Debain 8.0.4 X64 Yes Released The patch can be installed by the default configurations of Alibaba Cloud.
    Alibaba Cloud Linux 15.1 i386/x64 Yes Unpublished -
    SUSE Linux Enterprise Server 11 SP1 X64 Yes Released Only for the users who have bought SLES enterprise services.
    SUSE Linux Enterprise Server 11 SP2 X64 Yes Released Only for the users who have bought SLES enterprise services.
    SUSE Linux Enterprise Server 11 SP3 X64 Yes Released Only for the users who have bought SLES enterprise services.
    SUSE Linux Enterprise Server 12 SP1 X64 Yes Released Only for the users who have bought SLES enterprise services.
    Open SUSE 13.1 i386/x64 Yes Released The patch can be installed by the default configurations of Alibaba Cloud.
    CoreOS 681.2.0 X64 Yes Released The patch can be installed by the default configurations of Alibaba Cloud but at a low speed.
    FreeBSD 10.1 X64 No Released FreeBSD runs the UNIX kernel instead of Linux.

Vulnerability fixing solution

Note

  • Because the upgrade involves the operating system kernel, we strongly recommend that you close the running services and back up the business data. We also recommend that you create a snapshot for the server disk to avoid the irreversible influence caused by vulnerability fixing.

  • If your server is installed with a third-party protection software such as cloud lock and dongle, the kernel may not be successfully upgraded. We recommend that you uninstall the software and reinstall it after the kernel is successfully upgraded.

CentOS 5/6/7 operating systems

Alibaba Cloud has updated mirrors.aliyun.com for CentOS 5/6/7. You can use the default configurations to update the software list, and perform a one-key upgrade of the kernel. The procedure is as follows:

  1. Run yum check-update |grep kernel to check availability of the kernel upgrade package.

  2. Run yum update kernel to upgrade the kernel.

  3. Run the following command to view the kernel of the new version or check whether initrd/initramfs contains the xen-vbd and virtio_blk drivers:

    lsinitrd /boot/initramfs-2.6.32-642.6.2.el6.x86_64.img |grep -i -E 'xen-blkfront|virtio_blk'

    Run the following command to view the patch example:

    #lsinitrd /boot/initramfs-2.6.32-642.6.2.el6.x86_64.img |grep -i -E 'xen-blkfront|virtio_blk'

    Go to the cd /boot/ directory to view the initrd file (CentOS 5.1) or initramfs (CentOS 6/7), which depends on the version.

    1. # lsinitrd /boot/initramfs-2.6.32-642.6.2.el6.x86_64.img |grep -i -E 'xen-blkfront|virtio_blk'
    2. -rwxr--r-- 1 root root 23448 Nov 4 14:51 lib/modules/2.6.32-642.6.2.el6.x86_64/kernel/drivers/block/virtio_blk.ko
    3. -rwxr--r-- 1 root root 54888 Nov 4 14:51 lib/modules/2.6.32-642.6.2.el6.x86_64/kernel/drivers/block/xen-blkfront.ko
  4. If the driver exists, restart the system.

  5. If the driver does not exist, install a driver for initrd/initramfs, perform the step 3 again, and restart the system.

    • centos 5:
    1. #mkinitrd -f --allow-missing \
    2. --with=xen-vbd --preload=xen-vbd \
    3. --with=xen-platform-pci --preload=xen-platform-pci \
    4. --with=virtio_blk --preload=virtio_blk \
    5. --with=virtio_pci --preload=virtio_pci \
    6. --with=virtio_console --preload=virtio_console \
    7. --with=hvc_console --preload=hvc_console \
    8. $target_initrd $vmlinuz

    View the file in the cd /boot/ directory and substitute $target_initrd $vmlinuz, depending on the version.

    • centos 6/7 :
    1. #mkinitrd -f --allow-missing \
    2. --with=xen-blkfront --preload=xen-blkfront \
    3. --with=virtio_blk --preload=virtio_blk \
    4. --with=virtio_pci --preload=virtio_pci \
    5. --with=virtio_console --preload=virtio_console \
    6. $target_initrd $vmlinuz

    Example for installing a driver (subject to 64-bit CentOS 6.8):

    1. #mkinitrd -f --allow-missing --with=xen-blkfront --preload=xen-blkfront --with=virtio_blk --preload=virtio_blk --with=virtio_pci --preload=virtio_pci --with=virtio_console --preload=virtio_console initramfs-2.6.32-642.6.2.el6.x86_64.img 2.6.32-642.6.2.el6.x86_64

    View the file in the cd /boot/ directory and substitute $target_initrd $vmlinuz, depending on the version.

  6. After performing the step 3, check whether the driver exists, and restart the system.

    1. # lsinitrd /boot/initramfs-2.6.32-642.6.2.el6.x86_64.img |grep -i -E 'xen-blkfront|virtio_blk'
    2. -rwxr--r-- 1 root root 23448 Nov 4 16:21 lib/modules/2.6.32-642.6.2.el6.x86_64/kernel/drivers/block/virtio_blk.ko
    3. -rwxr--r-- 1 root root 54888 Nov 4 16:21 lib/modules/2.6.32-642.6.2.el6.x86_64/kernel/drivers/block/xen-blkfront.ko
  7. To view the kernel version after upgrade, run uname -a or rpm -q --changelog kernel | grep 'CVE-2016-5195'. You can also use Alibaba Cloud Security Server Guard for verification.

Note: Two kernels may be installed after the upgrade, but system operation is not affected.

  1. # uname -a
  2. Linux iZ2ze1zpafrqftmdfh0b3cZ 2.6.32-642.6.2.el6.x86_64 #1 SMP Wed Oct 26 06:52:09 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

or

  1. #rpm -q --changelog kernel | grep 'CVE-2016-5195'
  2. - [mm] close FOLL MAP_PRIVATE race (Larry Woodman) [1385116 1385117] {CVE-2016-5195}

Ubuntu operating systems

Alibaba Cloud has updated mirrors.aliyun.com for Ubuntu. You can use the default configurations to update the software list, and then perform a one-key upgrade of the kernel. The procedure is as follows:

  1. Run dpkg -l | grep linux to check availability of the update package.

  2. Run apt-get update or apt update to retrieve the update package list.

  3. Upgrade the kernel:

    • For Ubuntu 12.04, run apt-get install linux-generic.
    • For Ubuntu 14.04, run apt-get upgrade or apt upgrade.
  4. Restart the system.

  5. Run uname -a or zcat /usr/share/doc/linux-image-3.13.0-101-generic/changelog.Debian.gz | grep -i 'CVE-2016-5195' to view the kernel version after upgrade. You can also use Alibaba Cloud Security Server Guard for verification.

Note: Two kernels may be installed after the upgrade, but system operation is not affected.

  1. # uname -a
  2. Linux iZ2ze1zpaXXXXb3cZ 2.6.32-642.6.2.el6.x86_64 #1 SMP Wed Oct 26

or

  1. # zcat /usr/share/doc/linux-image-3.13.0-101-generic/changelog.Debian.gz | grep -i 'CVE-2016-5195'
  2. * CVE-2016-5195

Debian operating systems

Alibaba Cloud has updated mirrors.aliyun.com for Debian. You can use the default configurations to update the software list, and then perform a one-key upgrade of the kernel. The procedure is as follows:

  1. Run dpkg -l | grep linux to check availability of the update package.

  2. Run apt-get update to retrieve the update package list.

  3. Run apt-get upgrade to upgrade the kernel.

  4. Restart the system.

  5. Run uname -a or zcat /usr/share/doc/linux-image-3.16.0-4-amd64/changelog.Debian.gz | grep -i 'CVE-2016-5195' to view the kernel version after upgrade. You can also use Alibaba Cloud Security Server Guard for verification.

Note: Two kernels may be installed after the upgrade, but system operation is not affected.

  1. # uname -a
  2. Linux iZ2ze1zpaXXXXb3cZ 2.6.32-642.6.2.el6.x86_64 #1 SMP Wed Oct 26 06:52:09 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux

or

  1. # zcat /usr/share/doc/linux-image-3.16.0-4-amd64/changelog.Debian.gz |grep -i 'CVE-2016-5195'
  2. (CVE-2016-5195)

SUSE Linux Enterprise Server (SLES) operating systems (only for the users who have bought SLES enterprise services)

  1. Use the http://mirrors.aliyuncs.com/SLES/SLES12-SP1-Updates/sle-12-x86_64/ source for update.

    You can edit vim /etc/zypp/repos.d/SLES12-SP1-Updates.repo to disable other update sources; that is, modify http://mirrors.aliyun.com/SLES/SLES12-SP1-Updates/sle-12-x86_64/ enabled=0, and run zypper refresh to update the list.

  2. Run zypper install kernel-default xen-kmp-default to install the latest kernel.

  3. Run the following command to view the kernel of the new version and check whether initrd/initramfs contains the xen-vbd and virtio_blk drivers:

    lsinitrd /boot/initrd-3.12.62-60.64.8-default | grep -i -E 'xen-vbd|virtio_blk'

    Run the following command to view the patch example:

    lsinitrd /boot/initrd-3.12.62-60.64.8-default | grep -i -E 'xen-vbd|virtio_blk'

    1. Arguments: --logfile --force --force-drivers 'xen-vbd xen-vnif xen-platform-pci.ko virtio virtio_console virtio_net virtio_blk virtio_pci'
    2. -rw-r--r-- 1 root root 55335 Sep 23 15:55 lib/modules/3.12.62-60.62-default/updates/blkfront/xen-vbd.ko
    3. -rw-r--r-- 1 root root 31591 Oct 19 04:40 lib/modules/3.12.62-60.64.8-default/kernel/drivers/block/virtio_blk.ko
    4. lrwxrwxrwx 1 root root 61 Nov 7 14:17 lib/modules/3.12.62-60.64.8-default/weak-updates/updates/blkfront/xen-vbd.ko -> ../../../../3.12.62-60.62-default/updates/blkfront/xen-vbd.ko
  4. If the driver exists, restart the system.

  5. If the driver does not exist, install a driver for initrd/initramfs, perform the step 3 again, and restart the system.

    mkinitrd -k /boot/vmlinuz-3.12.62-60.64.8-default -i /boot/initrd-3.12.62-60.64.8-default (the installed version shall prevail)

  6. Run uname -a or rpm -q --changelog kernel | grep 'CVE-2016-5195' to view the kernel version after upgrade. You can also use Alibaba Cloud Security Server Guard for verification.

Note: Two kernels may be installed after the upgrade, but system operation is not affected.

  1. # uname -a
  2. Linux iZwz9cl4i8oy1pmjw7g4rxZ 3.12.62-60.64.8-default #1 SMP Tue Oct 18 12:21:38 UTC 2016 (42e0a66) x86_64 x86_64 x86_64 GNU/Linux

or

  1. # rpm -q --changelog kernel-default | grep 'CVE-2016-5195'
  2. - patches.fixes/mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user_pages.patch: (bnc1004418, CVE-2016-5195).

openSUSE operating systems

  1. Run zypper refresh to update the list.

  2. Run zypper install kernel-default xen-kmp-default to install the latest kernel.

  3. Run the following command to view the kernel of the new version and check whether initrd/initramfs contains the xen-vbd and virtio_blk drivers:

    lsinitrd /boot/initrd-3.12.62-55-default | grep -i -E 'xen-vbd|virtio_blk'

    Example:

    1. # lsinitrd /boot/initrd-3.12.62-55-default | grep -i -E 'xen-vbd|virtio_blk'
    2. lib/modules/3.12.62-55-default/kernel/drivers/block/virtio_blk.ko
    3. lib/modules/3.12.62-55-default/updates/blkfront/xen-vbd.ko
  4. If the driver exists, restart the system.

  5. If the driver does not exist, install a driver for initrd/initramfs, perform the step 3 again, and restart the system.

    # mkinitrd -k /boot/vmlinuz-3.12.62-55-default -i /boot/initrd-3.12.62-55-default (the installed version shall prevail)

  6. Run uname -a or rpm -q --changelog kernel | grep 'CVE-2016-5195' to view the kernel version after upgrade. You can also use Alibaba Cloud Security Server Guard for verification.

Note: Two kernels may be installed after the upgrade, but system operation is not affected.

  1. # uname -a
  2. Linux iZwz9XXXshamswbvrZ 3.12.62-55-default #1 SMP Thu Oct 20 08:47:11 UTC 2016 (b0aa9a6) x86_64 x86_64 x86_64 GNU/Linux

or

  1. # rpm -q --changelog kernel-default | grep 'CVE-2016-5195'
  2. - patches.fixes/mm-remove-gup_flags-FOLL_WRITE-games-from-__get_user_pages.patch: (bnc1004418, CVE-2016-5195).

CoreOS operating systems

Run update_engine_client -update to install all the available update packages, including the new kernel, and restart the system.

TIP

The Linux officials are developing vulnerability patches for other operating systems officially released by Alibaba Cloud. After the patches are released, update these systems to the latest version to fix the vulnerability.

Users of custom images can follow the update status information from the operating system manufacturers, and determine whether to upgrade the kernel to fix the vulnerability according to your own business requirements.

Reference

[1]. http://dirtycow.ninja
[2]. https://github.com/dirtycow
[3]. https://access.redhat.com/security/cve/CVE-2016-5195
[4]. https://security-tracker.debian.org/tracker/CVE-2016-5195
[5]. http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html
[6]. https://www.suse.com/security/cve/CVE-2016-5195.html
[7]. http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-5195.html
[8]. https://security-tracker.debian.org/tracker/CVE-2016-5195

Thank you! We've received your feedback.