24 Oct

The Linux ‘Dirty COW’ Vulnerability


Last week a particularly nasty vulnerability nicknamed ‘Dirty COW’ was disclosed to the public. Designated CVE-2016-5195, This privilege escalation vulnerability has existed in the Linux kernel since 2007, and exploits a race condition in the memory management subsystem (specifically copy-on-write) which could allow an attacker to gain root access to a Linux system they are able to reach.

TL;DR: This bug means that an ordinary, unprivileged user can write to any file they have read access to, potentially allowing them to escalate to root access and further compromise a system.

The good news- as a security-focused hosting company, Sharpstack has already secured all our servers against this exploit. We pro-actively patch and secure our fleet against known security vulnerabilities to ensure your data is safe. If you’re interested, you can check out our Shared Hosting plans here and our Managed Dedicated servers here.


How do I know if I’m vulnerable?

Many kernel versions above 2.6.22 are affected by this issue. If you’re running anything below the following, you should patch immediately:

  • 4.8.0-26.28 for Ubuntu 16.10
  • 3.16.36-1+deb8u2 for Debian 8
  • 3.2.82-1 for Debian 7


Redhat/CentOS users are also affected, and Redhat have provided a script to test if you are vulnerable. Run the following commands (as root) to verify:

wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_1.sh
bash rh-cve-2016-5195_1.sh

The script output will tell you if you’re affected.


How do I protect myself?

Most major Linux distributions have released a fix for this issue, so protecting yourself is just a matter of updating. Unfortunately, you will need to reboot your system to do this.

Debian, Ubuntu and variations thereof can simply run:

apt-get update && apt-get upgrade && apt-get dist-upgrade

and then reboot their systems.

CentOS and RedHat (which our cPanel fleet runs on) need to apply a temporary fix using a Systemtap script to disable the ptrace syscall. This is fairly straightforward:

Install kernel-devel and debuginfo packages for your system:

 yum install kernel-devel-$(uname-r)
 yum install debuginfo-$(uname-r)

Save the following into a plaintext file with a .stp extension:

probe kernel.function("mem_write").call ? { $count = 0 }
probe syscall.ptrace { // includes compat ptrace as well $request = 0xfff }
probe begin { printk(0, "CVE-2016-5195 mitigation loaded") }
probe end { printk(0, "CVE-2016-5195 mitigation unloaded") }

Run the file:

stap -g [filename from step 1].stp

More details on this method can be found here: https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13

Once RedHat releases a full fix for this issue we’ll be sure to apply it across our fleet.


In summary- this is a serious vulnerability with a known exploit in the wild. As a hosting provider that takes security seriously, Sharpstack has taken preventative measures to protect our customers.

Share this