Dirty COW (CVE-2016-5195)
Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel.
A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
What does this mean for cPanel servers?
The Linux kernel is either provided by your operating system vendor, (RedHat, CentOS CloudLinux), or by cPanel if you are using cPKernel. You can update following the instructions below.
How do I update to the new Kernel?
1. Log into your server via SSH with root privileges
2. Run “yum clean all” to clear YUM’s local caches
3. Run “yum update” to install the patched version of the kernel once available.
4. After your kernel is updated you must reboot the system.
CentOS7/RHEL7 kernel images have been updated.
CentOS7/RHEL7 now has the updated kernel. You should update your kernel with the following commands:
[root@cent7install ~]# yum clean all
Loaded plugins: changelog, fastestmirror, security, tsflags, universal-hooks
Cleaning repos: EA4 base cPkernel draios elrepo epel extras ius rpmforge updates
...
...
[root@cent7install ~]# yum install kernel
Loaded plugins: fastestmirror, tsflags, universal-hooks
Loading mirror speeds from cached hostfile
* EA4: 208.74.121.37
* epel: mirror.compevo.com
Resolving Dependencies
--> Running transaction check
---> Package kernel.x86_64 0:3.10.0-327.36.3.el7 will be installed
...
...
Verifying : kernel-3.10.0-327.36.3.el7.x86_64 1/1
Installed:
kernel.x86_64 0:3.10.0-327.36.3.el7
Once this is done, you MUST reboot your server. After reboot you can ensure your kernel is updated with the following commands:
[root@cent7install ~]# rpm -q --changelog kernel | grep CVE-2016-5195
- [mm] remove gup_flags FOLL_WRITE games from __get_user_pages() (Alexander Gordeev) [1385123 1385124] {CVE-2016-5195}
[root@cent7install ~]# uname -a
Linux cent7install.novalocal 3.18.41-20.el7.x86_64 #1 SMP Wed Sep 7 15:49:05 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
For more information on this update from RedHat: https://rhn.redhat.com/errata/RHSA-2016-2098.html
CentOS6/RHEL6 kernel images have been updated.
The update instructions are the same as above, but the uname output on CentOS6/RHEL6 should read as follows:
[root@cent6 ~]# uname -a
Linux cent6.novalocal 2.6.32-642.6.2.el6.x86_64 #1 SMP Wed Oct 26 06:52:09 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
For more information on this update from RedHat: https://rhn.redhat.com/errata/RHSA-2016-2105.html
CentOS5/RHEL5 kernel images have been updated.
The update instructions are the same as above, but the uname output on CentOS5/RHEL5 should read as follows:
-bash-3.2# uname -a
Linux i-0003b75e.cpanel.fast-io 2.6.18-416.el5 #1 SMP Fri Oct 28 11:52:49 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
For more information on this update from RedHat: https://rhn.redhat.com/errata/RHSA-2016-2124.html
CentOS6 cPKernel kernel images have been updated.
The update instructions are the same as above, but the uname output on CentOS6/RHEL6 should read as follows:
[root@cent6cPanel ~]# uname -a
Linux cent6cPanel.novalocal 2.6.32-642.6.199.2.cpanel6.x86_64 #1 SMP Wed Oct 26 20:40:16 UTC 2016 x86_64 x86_64 x86_64 GNU/Linux
For more information on cPKernel please see our documentation here: https://documentation.cpanel.net/display/CKB/How+to+Harden+Your+cPanel+System%27s+Kernel
Please see the following for further information:
https://access.redhat.com/security/cve/cve-2016-5195
https://bugzilla.redhat.com/show_bug.cgi?id=1384344
https://security-tracker.debian.org/tracker/CVE-2016-5195
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=19be0eaffa3ac7d8eb6784ad9bdbc7d67ed8e619
https://lkml.org/lkml/2016/10/19/860
https://dirtycow.ninja
https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
https://twitter.com/DirtyCOWVuln
Update Timeline:
CentOS7/RHEL7 kernel images have been updated
Tue Oct 25 12:00:50 CDT 2016
CentOS6/RHEL6 kernel images have been updated
Wed Oct 26 18:07:17 UTC 2016
CentOS6 cPKernel kernel images updated
Wed Oct 26 23:15:51 UTC 2016
CentOS5/RHEL5 kernel images have been updated
Fri Oct 28 15:08:00 CDT 2016
For the PGP-Signed version of the original announcement, please visit https://news.cpanel.com/wp-content/uploads/2016/10/dirtycow-signed.txt