Skip to main content

Comments

27 comments

  • Bazinga
    I don't know how many of you heard about this, but it is really annoying. More info on the topic: Dirty COW (CVE-2016-5195) For those who use CloudLinux kernelcare, there is no patch still. From what I have tested already seems that Centos 7/ Cloudlinux 7 are mainly affected. Bug 1384344 " CVE-2016-5195 kernel: mm: privilege escalation via MAP_PRIVATE COW breakage

    CL Kernel developers are working on it to release updated kernels for CL5/6/7 soon.
    0
  • rpvw
    KernelCare users should see Dirty Cow vulnerability: the fix is here! for updates
    0
  • gryzli
    KernelCare users should see Dirty Cow vulnerability: the fix is here! for updates

    Thanks the CloudLinux guys for this !
    0
  • ThinIce
    This really is one of those car crash events isn't it. RHEL / CentOS again seem to be latest to the party with a patch, the bug thread implies at an uneducated glance that CentOS6 users don't need to worry (which seems incorrect going on other posts to the thread and general chatter) and doesn't make clear if it's worth applying the mitigation on versions other than 7 to address the more recent POCs The in the wild exploit we are aware of doesn't work on Red Hat Enterprise Linux 5 and 6 out of the box because on one side of the race it writes to /proc/self/mem, but /proc/self/mem is not writable on Red Hat Enterprise Linux 5 and 6.
    and the cPanel announcement doesn't make reference to their own kernel and when they'll update it cPanel Security Team: Dirty COW (CVE-2016-5195) | cPanel Newsroom I just give up.
    0
  • ThinIce
    If I understand correctly, the systemtap mitigation will not protect against the subsequent POC exploit released
    0
  • sparek-3
    Actually, my CentOS 6 Kernelcare systems aren't showing any fix
    # cat /etc/redhat-release ; kcarectl --check ; kcarectl --patch-info | grep -i cve-2016-5195 CentOS release 6.8 (Final) No update necessary
    0
  • rpvw
    @sparek-3 Interesting - my check using the same code produced different results:
    # cat /etc/redhat-release ; kcarectl --check ; kcarectl --patch-info | grep -i cve-2016-5195 CloudLinux Server release 6.8 (Oleg Makarov) No update necessary kpatch-cve: CVE-2016-5195 kpatch-cve-url: https://access.redhat.com/security/cve/cve-2016-5195
    0
  • sparek-3
    BRILLIANT! They released an update that --check doesn't recognize. If you run kcarectl --update it updates! This is absolutely brilliant! I mean, why depend on --check to see if there is an update when, that never really matters! BRILLIANT!
    0
  • sparek-3
    And for those of you looking for a CentOS/RHEL/cPanel kernel update you may want to just try yum update and never ever use yum check-update because seriously! Why should you ever just check for updates? Why spend time prepping for an update when you can just update! Who cares if it breaks a system or does something you didn't anticipate! Lesson learned today... checking for updates is totally useless!
    0
  • gryzli
    Anybody with kcare fix for CloudLinux / Centos 5 ?
    0
  • rpvw
    Anybody with kcare fix for CloudLinux / Centos 5 ?

    CloudLinux 5 kernel released to beta
    0
  • gryzli
    Just to summarize the current state of the things: CloudLinux have release dirty cow fix in their mainstream kernels for CL 6 and CL 7. There is kernel update for CL5 also, but it is in the testing repo. If you are using KernelCare (the rebootless kernel patching tool by CloudLinux), you must already have the patches for all CL 5,6,7. You can check this by issuing:
    root@server [~]# kcarectl --patch-info | grep 2016-5195 -A 6 kpatch-name: 2.6.18/CVE-2016-5195.patch kpatch-description: CVE-2016-5195 fix kpatch-kernel: kernel-2.6.18-412.el5 kpatch-cve: CVE-2016-5195 kpatch-cvss: 6.9 kpatch-cve-url: CVE-2016-5195 - Red Hat Customer Portal kpatch-patch-url:
    0
  • garconcn
    Will this affect the server which does not have public SSH access? Thank you for any advice.
    0
  • ThinIce
    Will this affect the server which does not have public SSH access? Thank you for any advice.

    Yes, if there is for example a vulnerability in a web app such as Wordpress that would allow remote code execution or if any of the accounts on your system have been breached such that an exploit could be uploaded and then executed
    0
  • gryzli
    In fact, if you have any publicly accessible service (Web, FTP, or whatever it is), if someone try and successfully exploit your service (in order to make it, to execute code with this service's username), this could be used as an indirect vector to do execute the privilege escalation exploit. It is really bad thing..
    0
  • keat63
    Folks I don't profess to know what any of this means other than I should update or patch. Would Yum Update fix this in CentOS 6.8 Final, or do I need to run specific patches ?
    0
  • cPanelMichael
    Hello, Allow me to address some of the questions and comments that have not yet received a response.
    and the cPanel announcement doesn't make reference to their own kernel and when they'll update it cPanel Security Team: Dirty COW (CVE-2016-5195) | cPanel Newsroom

    Regarding the cPanel hardened kernel, there's an internal case open to build and publish an update once CentOS publishes a new kernel (the cPanel hardened kernel patches the CentOS 6 kernel for symlink race condition protection).
    They released an update that --check doesn't recognize. If you run kcarectl --update it updates! This is absolutely brilliant! I mean, why depend on --check to see if there is an update when, that never really matters!

    I encourage you to share your thoughts regarding KernelCare to the CloudLinix Support Team, or on their forums at: CloudLinux Forum
    I don't profess to know what any of this means other than I should update or patch. Would Yum Update fix this in CentOS 6.8 Final, or do I need to run specific patches ?

    You can run "yum update" to update your system kernel once CentOS releases an updated kernel that addresses the issue. Note that you must reboot the system after updating the kernel. Or, if you are interested in a third-party application, consider using KernelCare from CloudLinux: CloudLinux - Main | New template Thank you.
    0
  • gryzli
    In short, we are still waiting for RedHat/Centos to release patched kernel :)
    0
  • cPanelMichael
    CentOS 7 and RHEL 7 have published an updated kernel. We'll update the following news article again once CentOS 6 kernels are published, and once the cPKernel update is available: cPanel Security Team: Dirty COW (CVE-2016-5195) *UPDATED* | cPanel Newsroom Thank you.
    0
  • gryzli
    Thanks for this update @cPanelMichael ! Well done to RedHat, waiting for RHEL 5/6 update releases.
    0
  • garconcn
    Thanks. I've installed kernelcare to take care of it. :)
    Yes, if there is for example a vulnerability in a web app such as Wordpress that would allow remote code execution or if any of the accounts on your system have been breached such that an exploit could be uploaded and then executed

    0
  • ItsMattSon
    Can anyone tell me how screwed I am if I'm using an OpenVZ/Virtuozzo CentOS 6.8 VPS? I presume I can't update the kernel?
    0
  • torrent4all
    There is still no patch for CentOS :(
    0
  • ThinIce
    Regarding the cPanel hardened kernel, there's an internal case open to build and publish an update once CentOS publishes a new kernel (the cPanel hardened kernel patches the CentOS 6 kernel for symlink race condition protection).

    Apologies if I came over rude over that, it just seemed odd to me (and still does) that the cPanel kernel is not mentioned in the security team announcement. I can just imagine the type of user who would say "stop bugging me about this, it doesn't apply to me, because it's HARDENED". The news post does nothing to dissuade them from making this error and not taking action. The CentOS 6 kernel update should now be available Red Hat Customer Portal
    0
  • sparek-3
    Try yum clean all and then yum check-update (and yum update to actually perform the update, don't forget you'll have to reboot for the new kernel to take affect).
    0
  • hackboys
    What about cPKernel?
    0
  • cPanelMichael
    Updated kernels from all vendors, including cPanel, are now published. The news article is now updated to reflect this information: cPanel Security Team: Dirty COW (CVE-2016-5195) *UPDATED* | cPanel Newsroom Thanks!
    0

Please sign in to leave a comment.