Thanks to TurnKey community member John Carver it has come to our attention that all existing deployments of TurnKey Linux are potentially vulnerable to CVE-2016-5195. As reported by Andrej Nemec last week on the Red Hat bugtracker "An unprivileged local user could use this flaw to gain write access to otherwise read only memory mappings and thus increase their privileges on the system."
As seems to be the trend these days it has been given the catchy moniker "Dirty COW"and has it's own website and a cute logo:
This privilege escalation vulnerability which dates back nearly a decade was discovered by security researcher, Phil Oester. In an interview he noted that he discovered the vulnerability in the wild when "One of the sites I manage was compromised, and an exploit of this issue was uploaded and executed." The maker of the dirtycow.ninja website has also provided some further details of the vulnerability in a wiki hosted on GitHub.
Debian have pushed out a patched kernel for the stable release (Jessie - the basis of v14.x) as noted by DSA-3696-1. TurnKey's Automatic Security Updates should have already installed this for you. Note that Debian also released a patched kernel for Wheezy (TurnKey v13.x).
If auto updates fix this why do I need to know?Whilst the TurnKey security updates mechanism auto install all relevant security updates available from Debian, users still need to reboot the server to start using the updated kernel.
To be exploited, this vulnerability requires shell access. So most TurnKey users who do not allow additional OS user accounts should be relatively safe. This is especially the case for v14.x users as service accounts (e.g. www-data) no longer have a shell by default. However, if an attacker were to daisy chain this with other exploits (e.g. a SQL injection) then they could potentially gain full control of your server!
Whilst v14.x (Debian Jessie) and v13.x (Debian Wheezy) users should be ok after a reboot, the news for users of older TurnKey servers is not so good. This vulnerability was introduced into the kernel nearly a decade ago, so all earlier version of TurnKey are vulnerable and WILL NOT be getting a security patch. I strongly urge you to upgrade to the current release ASAP!
root@tkldev ~# uname -v #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19)The fixed versions are noted by Debian's CVE-2016-5195 page. For v14.x you are looking for "3.16.36-1+deb8u2"; while v13.x wants "3.2.82-1". There is no fix for earlier versions other than to upgrade to a supported version.
For users wishing to use TKLBAM to migrate to a current version, please see our docs for a suggested workflow and further considerations.
Resources and further reading:http://dirtycow.ninja/
Thanks again to John for bringing this to our attention!