Blog

There’s a serious vulnerability that affects most Linux Operating Systems, CVE-2016-5195, also known as Dirty COW (yes, the name sounds silly but the problem is serious!).

Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel that can allow a local user (like a web hosting account) to gain root access to the server. This can also be a huge problem if your Magento store is compromised and the attacker has the ability to upload files to your server or hosting account.

The vulnerability is present in all major Linux Operating Systems and security researchers have detected in the wild (ITW) attacks even before security patches were released by the various operating systems.

If you manage your own server, you will need to update the kernel (and reboot your server) once the security patch is issued by your operating system providers.

If you do not manage your own server or if you are using shared hosting, contact your server administrator or hosting provider to make sure that you are protected against this vulnerability.

About Dirty Cow

A race condition was found in the way the Linux kernel’s memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings.

The bug has existed since around 2.6.22 (released in 2007) and was fixed on Oct 18, 2016.

Impact

• An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.
• This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set.

How

• The In The Wild exploit relied on writing to /proc/self/mem on one side of the race.
• ptrace(PTRACE_POKEDATA) can write to readonly mappings.
• The attack relies on racing the madvise(MADV_DONTNEED) system call while having the page of the executable mmapped in memory.