Patching the Dirty Cow Exploit on CentOS

What is “Dirty Cow (CVE-2016-5195)”?

The “Dirty Cow” vulnerability is exploited through how Linux processes code. It allows for an unprivileged user to gain root privileges. This can be used on any server with a vulnerable kernel. At the time of writing, there have been updates to certain operating systems, but others remain affected. The vulnerability is typically used on shared hosting accounts with shell access. As such, to prevent damage to other users, updating is crucial.

Affected systems

Any CentOS 5/6/7 system.

Test and patching

RHEL has a utility available to test your server. Simply download the following with:

wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh

bash rh-cve-2016-5195_1.sh

If your server is vulnerable, you will be notified by the script:

Your kernel is <version here> which IS vulnerable.
Red Hat recommends that you update your kernel. Alternatively, you can apply partial
mitigation described at https://access.redhat.com/security/vulnerabilities/2706661 .

If you are indeed vulnerable, proceed to the next step. Otherwise, no action is required.

Patching is quite simple:

yum update -y
reboot

Check that your server was patched by running the rh-cve script again. If your server is still affected, we must patch it manually.

Manual patch

We must install Systemtap to apply the kernel update:

yum install systemtap -y

Now, create a file called new.stp.

Paste the following:

probe     kernel.function("mem_write").ca ll ? {
        $count = 0
}

probe syscall.ptrace {  //   includes compat ptrace as well
        $request = 0xfff
}

probe begin {
        printk(0, "CVE-2016-5195   mitigation loaded")
}

probe end {
        printk(0, "CVE-2016-5195    mitigation unloaded")
}

Save, then exit.

Run the following command:

stap -g new.stp

Now, reboot your server:

shutdown -r now

Conclusion

Congratulations. You have updated your server successfully.