TurnKey Linux Virtual Appliance Library

CVE-2016-5195: Dirty COW - Privilege escalation kernel vulnerability

Thanks to TurnKey community member John Carver it has come to our attention that all existing deployments of TurnKey Linux are potentially vulnerable to CVE-2016-5195. As reported by Andrej Nemec last week on the Red Hat bugtracker "An unprivileged local user could use this flaw to gain write access to otherwise read only memory mappings and thus increase their privileges on the system."

As seems to be the trend these days it has been given the catchy moniker "Dirty COW"and has it's own website and a cute logo:

Dirty COW logo

This privilege escalation vulnerability which dates back nearly a decade was discovered by security researcher, Phil Oester. In an interview he noted that he discovered the vulnerability in the wild when "One of the sites I manage was compromised, and an exploit of this issue was uploaded and executed." The maker of the dirtycow.ninja website has also provided some further details of the vulnerability in a wiki hosted on GitHub.

Debian have pushed out a patched kernel for the stable release (Jessie - the basis of v14.x) as noted by DSA-3696-1. TurnKey's Automatic Security Updates should have already installed this for you. Note that Debian also released a patched kernel for Wheezy (TurnKey v13.x).

If auto updates fix this why do I need to know?

Whilst the TurnKey security updates mechanism auto install all relevant security updates available from Debian, users still need to reboot the server to start using the updated kernel.

To be exploited, this vulnerability requires shell access. So most TurnKey users who do not allow additional OS user accounts should be relatively safe. This is especially the case for v14.x users as service accounts (e.g. www-data) no longer have a shell by default. However, if an attacker were to daisy chain this with other exploits (e.g. a SQL injection) then they could potentially gain full control of your server!

Whilst v14.x (Debian Jessie) and v13.x (Debian Wheezy) users should be ok after a reboot, the news for users of older TurnKey servers is not so good. This vulnerability was introduced into the kernel nearly a decade ago, so all earlier version of TurnKey are vulnerable and WILL NOT be getting a security patch. I strongly urge you to upgrade to the current release ASAP!

How can I check I'm safe?

The easiest way to check that you are ok is to check the kernel version which you are running. Here's an example from a TKLDev server I have running locally:
root@tkldev ~# uname -v
#1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19)
The fixed versions are noted by Debian's CVE-2016-5195 page. For v14.x you are looking for "3.16.36-1+deb8u2"; while v13.x wants "3.2.82-1". There is no fix for earlier versions other than to upgrade to a supported version.

For users wishing to use TKLBAM to migrate to a current version, please see our docs for a suggested workflow and further considerations.

Resources and further reading:

http://dirtycow.ninja/
https://github.com/dirtycow/dirtycow.github.io/wiki/VulnerabilityDetails
https://lists.debian.org/debian-security-announce/2016/msg00277.html
https://security-tracker.debian.org/tracker/DSA-3696-1
http://www.v3.co.uk/v3-uk/news/2474845/linux-users-urged-to-protect-agai...
http://arstechnica.com/security/2016/10/most-serious-linux-privilege-esc...
http://www.theregister.co.uk/2016/10/21/linux_privilege_escalation_hole/
http://www.itnews.com.au/news/attackers-exploit-ancient-dirty-cow-kernel...

Thanks again to John for bringing this to our attention!

You can get future posts delivered by email or good old-fashioned RSS.
TurnKey also has a presence on Google+, Twitter and Facebook.

Comments

Keyturns's picture

TKL scripts failed to apply security update for CVE-2016-5195

Hello,

I tried to apply the security updates to patch the CVE-2016-5195 vulnerability but I did not appear to work. I have the Wordpress appliance 14.0 and the result of "uname -v"  is  "#1 SMP Debian 3.16.7-ckt25-2+deb8u3 (2016-07-02)".  I tried the commands you noted here:  https://www.turnkeylinux.org/docs/automatic-security-updates

I ran the command:

turnkey-install-security-updates

and the result ultimately was:

"0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded."

The uname command gave the same result as above.

I also ran:

/usr/sbin/cron-apt

again nothing happened and I have the uname was the same.

I have left the machine running so I guess the 4AM auto update you guys have in there must have failed too.

Any suggestions as to what I can try now?
 

Jeremy Davis's picture

Have you rebooted?

Have you rebooted your server? As I noted above, the security updates should already be installed but you need to reboot to start using the updated kernel. If not, please try that first.

At a glance, it looks like either the update is installed already but just not being used; or you aren't getting updated package information for some weird reason.

If rebooting doesn't make any difference, can you please give me the output of:

apt-get update
apt-get install linux-image-amd64
Keyturns's picture

A reboot resolved this

A reboot indeed resolved this. When I do a "uname -v" now after the reboot I now get:

#1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19)

 

Jeremy Davis's picture

Great!

Glad to hear that did the trick! :)
VladGets's picture

Wow

Cool

What the side of the page?

Scott's picture

What am I missing ?

Would appreciate some help on this .. got a turnkey nginx server (turnkey-nginx-php-fastcgi-14.0-jessie-amd64)

uname -v returns:

#1 SMP Debian 3.16.7-ckt11-1+deb8u5 (2015-10-09)

Have also run 

turnkey-install-security-updates

And 

/usr/sbin/cron-apt

And rebooted -but still showing the older kernel.

The following was also no help - it all reports up to date.

apt-get update && apt-get upgrade && apt-get dist-upgrade

This also indicates nothing to update:

apt-get install linux-image-amd64

output is:

Reading package lists... Done
Building dependency tree
Reading state information... Done
linux-image-amd64 is already the newest version.
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

 

Confused ???   Scott

Scott

www.rakata.co.uk

Jeremy Davis's picture

Sorry for slow response Scott

Apologies, I missed your comment here sorry.

That does seem really weird and TBH I don't understand. Are you getting any errors or warnings when you run apt-get update?

Also what is the output from:

apt-cache policy linux-image-amd64
Scott's picture

apt-get and apt-cache output

apt-get

Get:1 http://security.debian.org jessie/updates InRelease [63.1 kB]
Get:2 http://security.debian.org jessie/updates/main amd64 Packages [328 kB]
Ign http://http.debian.net jessie InRelease
Ign http://archive.turnkeylinux.org jessie-security InRelease
Get:3 http://security.debian.org jessie/updates/contrib amd64 Packages [2506 B]
Get:4 http://security.debian.org jessie/updates/contrib Translation-en [1211 B]
Hit http://http.debian.net jessie Release.gpg
Get:5 http://security.debian.org jessie/updates/main Translation-en [173 kB]
Ign http://archive.turnkeylinux.org jessie InRelease
Hit http://http.debian.net jessie Release
Hit http://archive.turnkeylinux.org jessie-security Release.gpg
Hit http://http.debian.net jessie/main amd64 Packages
Hit http://http.debian.net jessie/contrib amd64 Packages
Hit http://archive.turnkeylinux.org jessie Release.gpg
Hit http://http.debian.net jessie/contrib Translation-en
Hit http://http.debian.net jessie/main Translation-en
Hit http://archive.turnkeylinux.org jessie-security Release
Hit http://archive.turnkeylinux.org jessie Release
Hit http://archive.turnkeylinux.org jessie-security/main amd64 Packages
Hit http://archive.turnkeylinux.org jessie/main amd64 Packages
Ign http://archive.turnkeylinux.org jessie-security/main Translation-en
Ign http://archive.turnkeylinux.org jessie/main Translation-en
Fetched 568 kB in 3s (156 kB/s)
Reading package lists... Done

and apt-cache

linux-image-amd64:
  Installed: 3.16+63
  Candidate: 3.16+63
  Version table:
 *** 3.16+63 0
        500 http://http.debian.net/debian/ jessie/main amd64 Packages
        100 /var/lib/dpkg/status

I noticed there are a few Ign's on apt-get - I'd always treated that as a warning - is that an issue?

Scott

www.rakata.co.uk

Jeremy Davis's picture

I don't understand...?!

Your apt-get update output looks ok and the kernel meta-package matches mine too?! Perhaps double check for the actual kernel package itself:
apt-cache policy linux-image-3.16.0-4-amd64
If that isn't showing the right version (i.e. 3.16.36-1+deb8u2) as installed/installable, then the only thing I can think of is perhaps you are being directed to a "bad" Debian mirror which is out of date?

The one we use by default, should redirect you to the best mirror. However, in your case, perhaps it's not for some reason? So perhaps try explicitly using one of the Debian mirrors (don't change the TurnKey mirror, just the entries that are http.debian.org).

To do that have a look at your apt sources file(s). The default top level sources file is /etc/apt/sources.list but by default in TurnKey we leave that empty and instead it is configured in 2 separate files within /etc/apt/sources.list.d/. FWIW apt will read any file within that directory which has a .list file extension. By default TurnKey provides a general sources.list (/etc/apt/sources.list.d/sources.list) and a security sources list (/etc/apt/sources.list.d/security-sources.list). Initially just adjust the general list. But once you have resolved the immediate issue, I urge you to also update the security list (that's what the auto secupdates uses).

Obviously you'll need to run "apt-get update" once you've updated your sources.list. I also recommend that initially you just check for the versions available (i.e. apt-cache policy).

As for your question re the "Ign"s, TBH I'm not 100% sure, but AFAIK it is as you say; a warning. I see them lots on my (Debian) desktop as I'm Australian and use the en_AU locale. But as "Australian English" (at least in more formal written form) is essentially a subset of British and US English, nobody makes any specific translations for en_AU so when apt-get update checks for Australians translations they always return "Ign".

Scott's picture

Installed or not installed - that is the question :-)

Output from : apt-cache policy linux-image-3.16.0-4-amd64

linux-image-3.16.0-4-amd64:
  Installed: 3.16.36-1+deb8u2
  Candidate: 3.16.36-1+deb8u2
  Version table:
 *** 3.16.36-1+deb8u2 0
        500 http://security.debian.org/ jessie/updates/main amd64 Packages
        100 /var/lib/dpkg/status
     3.16.36-1+deb8u1 0
        500 http://http.debian.net/debian/ jessie/main amd64 Packages

So that in fact looks good.  Strange then that uname -v should report something else.

This is stretching my linux experience, so I'm guessing but is it possible apt thinks its install but in fact it hasn't been applied properly ?

As the apt-cache looks good I have followed up on the sources - but the lists look ok as best I can tell.

Thanks for the support on this.  

 

Scott

www.rakata.co.uk

Jeremy Davis's picture

So the new kernel is installed, just not being used...

uname gives info about the kernel in use. apt gives info about what's installed.

So you have the right kernel installed, it's just your system isn't using it.

Normally a reboot should resolve that. But you said that you had already rebooted right?!

Maybe for some reason your server was a bit slow to update, so when you rebooted before the new kernel hadn't installed. But at some point since it has installed the update and just needs a reboot now!?

Scott's picture

Yes - I had rebooted - at least twice

I'll reboot it again when I get a chance.

Scott

www.rakata.co.uk

Post new comment

The content of this field is kept private and will not be shown publicly. If you have a Gravatar account, used to display your avatar.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <address> <code> <cite> <strike> <caption>

More information about formatting options

Leave this field empty. It's part of a security mechanism.
(Dear spammers: moderators are notified of all new posts. Spam is deleted immediately)