In the last week there has been a very serious vulnerability in the Linux kernel, known as Dirty COW.

We have already made steps towards inoculating our servers to patch this vulnerability, and as part of our maintenance procedure, our servers will require a reboot which we have scheduled for 1am AEST on Sunday, October 30th.

We apologise in advance for this potential interruption to your services, however, for the greater good, we are compelled to act swiftly.

Here is some really ‘techie’ details, which probably wont interest many of you. However if you’re that way inclined, please keep reading.  Alternatively, just know we are putting every effort into our server security, to keep your web site, email and other web services hosted with us, safe, fast and as reliable as possible.

Dirty Cow Tech Stuff

Red Hat Product Security has been made aware of a vulnerability in the Linux kernel that has been assigned CVE-2016-5195. This issue was publicly disclosed on October 19, 2016 and has been rated as Important. This issue is being referred to as “Dirty COW” in the media.

Background Information

A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

This could be abused by an attacker to modify existing setuid files with instructions to elevate privileges. An exploit using this technique has been found in the wild. This flaw affects most modern Linux distributions.

Impact

Red Hat Product Security has rated this update as having a security impact of Important.

Impacted Products

The following Red Hat Product versions are impacted:

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise MRG 2
  • Red Hat Openshift Online v2
  • Red Hat Virtualization (RHEV-H/RHV-H)

Attack Description and Impact

This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set. This is achieved by racing the madvise (MADV_DONTNEED) system call while having the page of the executable mmapped in memory.

Take Action

All Red Hat customers running the affected versions of the kernel are strongly recommended to update the kernel as soon as patches are available. Details about impacted packages as well as recommended mitigation are noted below. A system reboot is required in order for the kernel update to be applied.

Updates for Affected Products

A kpatch for customers running Red Hat Enterprise Linux 7.2 or greater will be available. Please open a support case to gain access to the kpatch.

kind regards

James Demetrie – Owner/Founder diskmandotnet