DevHeads.net

CVE-2016-5195 “DirtyCOW”: Critical Linux Kernel Flaw

Dear All,

I guess, we all have to urgently apply workaround, following, say, this:

<a href="https://gryzli.info/2016/10/21/protect-cve-2016-5195-dirtycow-centos-7rhel7cpanelcloudlinux/" title="https://gryzli.info/2016/10/21/protect-cve-2016-5195-dirtycow-centos-7rhel7cpanelcloudlinux/">https://gryzli.info/2016/10/21/protect-cve-2016-5195-dirtycow-centos-7rh...</a>

At least those of us who still have important multi user machines running
Linux. (Yes, me too, I do have a couple, thank goodness, the rest are
already not ;-)

Have a productive weekend, everybody.

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Comments

Re: CVE-2016-5195 “DirtyCOW”: Critical Linux Kernel Fla

By Johnny Hughes at 10/28/2016 - 10:43

On 10/22/2016 07:49 PM, Valeri Galtsev wrote:
And to close the book on this CVE, I just pushed the CentOS-5.11 kernel
to fix this issue as well:

kernel-2.6.18-416.el5

So, the only thing we still have to release is a fixed kernel for the
aarch64 AltArch SIG. And we are building a test kernel for that right now.

ppc64le, ppc64, i686, arm32 for CentOS-7 .. and all released arches for
CentOS-5 and CentOS-6 ... now all have updates released.

Thanks,
Johnny Hughes

Re: CVE-2016-5195 “DirtyCOW”: Critical Linux Kernel

By Valeri Galtsev at 10/28/2016 - 10:50

On Fri, October 28, 2016 9:43 am, Johnny Hughes wrote:
Johnny, thanks a lot!!

(even though on my most ancient venerable couple of boxes still running
CentOS 5 users can not execute anything of their own, so the boxes are
immune to hack from inside, is still gives one great feeling to have
kernel patched).

Thanks again for the great job you, guys are doing!

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

RES: CVE-2016-5195 “DirtyCOW”: Critical Linux Kern

By Leonardo Olivei... at 11/01/2016 - 04:48

RedHat and Centos 4.x can be explored by this flaw?

De: <a href="mailto:centos- ... at centos dot org">centos- ... at centos dot org</a> [mailto:centos- ... at centos dot org] Em nome de Valeri Galtsev
Enviada em: sexta-feira, 28 de outubro de 2016 12:50
Para: CentOS mailing list < ... at centos dot org>
Assunto: Re: [CentOS] CVE-2016-5195 “DirtyCOW”: Critical Linux Kernel Flaw

On Fri, October 28, 2016 9:43 am, Johnny Hughes wrote:
Johnny, thanks a lot!!

(even though on my most ancient venerable couple of boxes still running CentOS 5 users can not execute anything of their own, so the boxes are immune to hack from inside, is still gives one great feeling to have kernel patched).

Thanks again for the great job you, guys are doing!

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Re: CVE-2016-5195 DirtyCOW: Critical Linux Kernel Flaw

By James Pearson at 11/01/2016 - 13:13

Leonardo Oliveira Ortiz wrote:
See:

<a href="https://access.redhat.com/security/cve/cve-2016-5195" title="https://access.redhat.com/security/cve/cve-2016-5195">https://access.redhat.com/security/cve/cve-2016-5195</a>

James Pearson

Re: CVE-2016-5195 DirtyCOW: Critical Linux Kernel Flaw

By Tony Mountifield at 11/01/2016 - 19:25

In article <5818CD31.4050008@moving-picture.com>,
James Pearson <james-p@moving-picture.com> wrote:
In other words, no: RHEL 4 and CentOS4 are not affected by this flaw.

Tony

Re: CVE-2016-5195 DirtyCOW: Critical Linux Kernel Flaw

By Valeri Galtsev at 11/01/2016 - 19:49

On Tue, November 1, 2016 6:25 pm, Tony Mountifield wrote:
My understanding is: RHEL is obsolete, hence it will not even be mentioned
on that page, whether it is known to be affected or not.

Valeri

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Re: CVE-2016-5195 DirtyCOW: Critical Linux Kernel Flaw

By Richard at 11/01/2016 - 20:05

RHEL/Centos-4 is EOL so wouldn't be updated regardless (at least
under the normal EOL guidelines), but it is mentioned toward the
bottom of that page under "Affected Packages State":

Red Hat Enterprise Linux 4 kernel Not affected

Re: CVE-2016-5195 DirtyCOW: Critical Linux Kernel Flaw

By Peter at 11/02/2016 - 00:52

On 02/11/16 13:05, Richard wrote:
It is mentioned because RHEL4 is in extended life phase, so not EOL yet.

CentOS 4 is EOL as CentOS does not track the extended life phase of Red Hat.

Peter

Re: CVE-2016-5195 DirtyCOW: Critical Linux Kernel Flaw

By Christopher G. ... at 11/02/2016 - 07:52

Dear Sir/s,

What I mean is the system crashed where the OS is no longer booting properly. This started when I did a "partition resize".

Unfortunately, we don't have any backup of the system.

Thanks in advance for your help.

Regards,

CHRIS

On 02/11/16 13:05, Richard wrote:
It is mentioned because RHEL4 is in extended life phase, so not EOL yet.

CentOS 4 is EOL as CentOS does not track the extended life phase of Red Hat.

Peter

Re: CVE-2016-5195 DirtyCOW: Critical Linux Kernel Flaw

By Leonard den Ott... at 11/02/2016 - 12:03

Hello Christopher,

As Peter already pointed out it is not done to "hijack" existing
threads. It is confusing for the reader to have a different subject
discussed in an existing thread. Please start a new mail with a
descriptive subject line and send that to the list. Thank you.

Regards,
Leonard.

Re: CVE-2016-5195 DirtyCOW: Critical Linux Kernel Flaw

By Christopher G. ... at 11/01/2016 - 21:03

Dear Sir/s,

Can a crashed centos system be restore to its previous state before it crash? And if so, can you please tell me how to do it?
Thanks, your help is very much appreciated.

RHEL/Centos-4 is EOL so wouldn't be updated regardless (at least
under the normal EOL guidelines), but it is mentioned toward the
bottom of that page under "Affected Packages State":

Red Hat Enterprise Linux 4 kernel Not affected

Re: CVE-2016-5195 DirtyCOW: Critical Linux Kernel Flaw

By Richard at 11/01/2016 - 21:36

You appear to have hijacked this (DirtyCOW) thread. You may want to
re-post your question as a new message so that it won't get mingled
with this discussion.

Re: CVE-2016-5195 DirtyCOW: Critical Linux Kernel Flaw

By John R Pierce at 11/01/2016 - 21:09

On 11/1/2016 6:03 PM, Christopher G. Halnin wrote:
1) define 'crashed'

2) got backups?

Re: CVE-2016-5195 “DirtyCOW”: Critical Linux Kernel Fla

By Johnny Hughes at 10/23/2016 - 08:28

On 10/22/2016 07:49 PM, Valeri Galtsev wrote:
We are waiting for the official RHEL source code for this issue for the
base kernel, and I do not recommend everybody out there use our
experimental 4.4.x kernel for x86_64, BUT with that said I did release a
kernel on Friday that has the fix for CVE-2016-5195.

It is kernel-4.4.26-201.el7.centos.x86_64.rpm, and it lives here:

<a href="http://mirror.centos.org/altarch/7/experimental/x86_64/" title="http://mirror.centos.org/altarch/7/experimental/x86_64/">http://mirror.centos.org/altarch/7/experimental/x86_64/</a>

I don't recommend using this in production without lots of testing
first, and it requires a new linux-firmware, xfsprogs, supermin5. It
also does not support secure boot.

I am using it on several (currently 6) machines and we created it for
newer IoT type boards and compute sticks, etc. I have it running on 3
laptops and 3 KVM servers without any issues .. but that is a very small
subset of tested configurations.

Thanks,
Johnny Hughes

Re: CVE-2016-5195 “DirtyCOW”: Critical Linux Kernel Fla

By Valeri Galtsev at 10/22/2016 - 21:20

On Sat, October 22, 2016 7:49 pm, Valeri Galtsev wrote:
I should have said CentOS 7. Older ones (CentOS 6 and 5) are not vulnerable.

Luckily, no multi-user CentOS 7 machines here, only single user workstations.

Good luck, everybody!

Valeri

PS Sorry about a bit premature first message: I realize not that I was in
the same state of mind as back then when there was remote root SSH
vulnerability. It was long ago, but some may still remember that...

++++++++++++++++++++++++++++++++++++++++
Valeri Galtsev
Sr System Administrator
Department of Astronomy and Astrophysics
Kavli Institute for Cosmological Physics
University of Chicago
Phone: 773-702-4247
++++++++++++++++++++++++++++++++++++++++

Re: CVE-2016-5195 “DirtyCOW”: Critical Linux Kernel Fla

By Gilbert Sebenste at 10/24/2016 - 12:29

Patch is out on RHEL side:

<a href="https://rhn.redhat.com/errata/RHSA-2016-2098.html" title="https://rhn.redhat.com/errata/RHSA-2016-2098.html">https://rhn.redhat.com/errata/RHSA-2016-2098.html</a>

*******************************************************************************
Gilbert Sebenste ********
(My opinions only!) ******
*******************************************************************************

Re: CVE-2016-5195 “DirtyCOW”: Critical Linux Kernel Fla

By Christian Anthon at 10/25/2016 - 04:06

What is the best approach on centos 6 to mitigate the problem is
officially patched? As far as I can tell Centos 6 is vulnerable to
attacks using ptrace.

There is a mitigation described here

<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13" title="https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13">https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13</a>

which doesn't fix the underlying problem, but at least protects against
known attack vectors. However, I'm unsure if the script only applies to
Centos 7, or if it also works on Centos 6?

Cheers, Christian

On 24-10-2016 18:29, Gilbert Sebenste wrote:

Re: CVE-2016-5195 DirtyCOW : Critical Linux Kernel Flaw

By Peter Kjellstrom at 10/25/2016 - 09:39

On Tue, 25 Oct 2016 10:06:12 +0200

I can confirm that c6 is vulnerable, we're running a patched kernel
(local build) using a rhel6 adaptation of the upstream fix.

Ask off-list if you want an src.rpm

/Peter K

Re: CVE-2016-5195 DirtyCOW : Critical Linux Kernel Flaw

By m.roth at 10/25/2016 - 14:18

My manager just told me that upstream has released a patched kernel for 7:

CentOS package kernel-3.10.0-327.36.3.el7.x86_64.rpm
see <a href="http://rhn.redhat.com/errata/RHSA-2016-2098.html" title="http://rhn.redhat.com/errata/RHSA-2016-2098.html">http://rhn.redhat.com/errata/RHSA-2016-2098.html</a>

I'm hoping Johnny can get us that, hopefully before the end of the week.

mark

Re: CVE-2016-5195 DirtyCOW : Critical Linux Kernel Flaw

By Phelps, Matt at 10/25/2016 - 14:58

That came out this morning:

Johnny Hughes < ... at centos dot org>
7:17 AM (7 hours ago)
to centos-announce

CentOS Errata and Security Advisory 2016:2098 Important

Upstream details at : <a href="https://rhn.redhat.com/errata/RHSA-2016-2098.html" title="https://rhn.redhat.com/errata/RHSA-2016-2098.html">https://rhn.redhat.com/errata/RHSA-2016-2098.html</a>

The following updated files have been uploaded and are currently
syncing to the mirrors: ( sha256sum Filename )

x86_64:
afb7e2a7c3a38185b99f092b70ec274888a5beb136a7e5077559cbd29b3f55d7
kernel-3.10.0-327.36.3.el7.x86_64.rpm
1b33324ee4de14c03dde2eefb91bdee83082dd4ced6c0b94f5ab3253690bce38
kernel-abi-whitelists-3.10.0-327.36.3.el7.noarch.rpm
000ccd89b45a28645202add878b5e37d9a482df68fd5cf12914611098724eea7
kernel-debug-3.10.0-327.36.3.el7.x86_64.rpm
430e59db8a03d01f25ff602e766b96b06157fb881db68ca0cb81f229ec2609d6
kernel-debug-devel-3.10.0-327.36.3.el7.x86_64.rpm
5522697d3b016509dd3744e714d61e5d177921d2a045588730c1cd41713ba2c1
kernel-devel-3.10.0-327.36.3.el7.x86_64.rpm
b3fb9f23b5a2427d90e286350b1e7ded8ce6c3c2c5f7e191ee15bb8a70c981aa
kernel-doc-3.10.0-327.36.3.el7.noarch.rpm
ad0006f10828ff8890c5599982c57a5ed75a9fdc9aab90e0c8cba6422eb766ea
kernel-headers-3.10.0-327.36.3.el7.x86_64.rpm
3639553b0daacf8b577a5576d732eadae1aeef30cf61ca15dd755e439b5a8578
kernel-tools-3.10.0-327.36.3.el7.x86_64.rpm
b66a1c39f21081605dc3f19afc73236b5cb23a1de8d1bd1b14718165663de7ac
kernel-tools-libs-3.10.0-327.36.3.el7.x86_64.rpm
97f1708f020dc0c19c9abead5cabdf813aa56ffdf6f8956811669019d74980d8
kernel-tools-libs-devel-3.10.0-327.36.3.el7.x86_64.rpm
6101abe377f9c3f96f9a0b32840ccde2d60835af96ffbb1c787841e0a98bb755
perf-3.10.0-327.36.3.el7.x86_64.rpm
cd55f641ed83faeb33d35a7915c78f85f58a237612ffebdfd5f41e652472ce7b
python-perf-3.10.0-327.36.3.el7.x86_64.rpm

Source:
fc7d9058db4d12308f80993c446175e0fd45e413ffafa7b9b2b0c38a432a4a3c
kernel-3.10.0-327.36.3.el7.src.rpm

Re: CVE-2016-5195 DirtyCOW : Critical Linux Kernel Flaw

By m.roth at 10/25/2016 - 16:37

Phelps, Matthew wrote:
Thank you, Johnny, and the whole team.

mark

Re: CVE-2016-5195 DirtyCOW : Critical Linux Kernel Flaw

By Johnny Hughes at 10/26/2016 - 04:09

On 10/25/2016 03:37 PM, <a href="mailto:m.roth@5-cent.us">m.roth@5-cent.us</a> wrote:
You are welcome.

The CentOS-6 kernel with the CVE-2016-5195 is finished, passed our CI
suite tests, and is now pushed to our master mirror
(kernel-2.6.32-642.6.2.el6)

It should be installable from mirror.centos.org in an hour or so.
External mirrors should also be able to start syncing to get it in about
and hour as well.

Still no upstream EL5 release. We will get that one released as soon as
we have the source code for it.

Thanks,
Johnny Hughes

Re: CVE-2016-5195 DirtyCOW : Critical Linux Kernel Flaw

By Leon Fauster at 10/25/2016 - 13:26

Am 25.10.2016 um 15:39 schrieb Peter Kjellström < ... at nsc dot liu.se>:

Hi Peter, can you confirm that its this?

<a href="http://pastebin.centos.org/56391/" title="http://pastebin.centos.org/56391/">http://pastebin.centos.org/56391/</a>

Re: CVE-2016-5195 DirtyCOW : Critical Linux Kernel Flaw

By Akemi Yagi at 10/25/2016 - 20:21

On Tue, Oct 25, 2016 at 10:26 AM, Leon Fauster
< ... at googlemail dot com> wrote:
That is for the EL-7.2 kernel. Peter was offering a patch for CentOS 6.

RH released the patched kernel for EL-6.8 today. I have attached the
diff file between 2.6.32-642.6.1.el6 and 2.6.32-642.6.2.el6. It is
more complex because the 6 kernel is older, so required more mods, I
suppose. Maybe that was the reason why the EL-6 update took longer
than EL-7.

Akemi

Re: CVE-2016-5195 DirtyCOW : Critical Linux Kernel Flaw

By Peter Kjellstrom at 10/26/2016 - 06:56

On Tue, 25 Oct 2016 17:21:54 -0700

We also did a quick diff for the official c6 patch and it's almost but
not quite what we were using as a quick fix.

/Peter

Re: CVE-2016-5195 DirtyCOW : Critical Linux Kernel Flaw

By Johnny Hughes at 10/26/2016 - 07:30

On 10/26/2016 05:56 AM, Peter Kjellström wrote:
The 6 kernel is released now .. Use that :)

Re: CVE-2016-5195 DirtyCOW : Critical Linux Kernel Flaw

By Peter Kjellstrom at 10/26/2016 - 12:53

On Wed, 26 Oct 2016 06:30:45 -0500

You misunderstood me. I was referring to the difference between the
quick fix initially deployed by us and the now released fix. We're
almost completely updated from quick fix to official fix by now.

/Peter

Re: CVE-2016-5195 DirtyCOW : Critical Linux Kernel Flaw

By Christian Anthon at 10/25/2016 - 09:50

On 25-10-2016 15:39, Peter Kjellström wrote:
Thanks,

the srpm would be very helpful, I'll reply off-list.

Cheers, Christian.

Re: CVE-2016-5195 “DirtyCOW”: Critical Linux Kernel Fla

By Phelps, Matt at 10/25/2016 - 08:29

I've installed kernel-debug, kernel-devel, kernel-debug-devel,
kernel-debug-debuginfo, kernel-debuginfo-common and I still get:

stap -g -p 4 dirtyc0w.stp
semantic error: while resolving probe point: identifier 'syscall' at
dirtyc0w.stp:5:7
source: probe syscall.ptrace {
^

semantic error: no match

Pass 2: analysis failed. [man error::pass2]

Anybody have any success with this?

Re: CVE-2016-5195 “DirtyCOW”: Critical Linux Kernel Fl

By Peter Kjellstrom at 10/25/2016 - 09:38

On Tue, 25 Oct 2016 08:29:33 -0400

You have the wrong packages. You want "kernel-debuginfo" and
"kernel-debuginfo-common" for the running kernel. You've by mistake got
"kernel-debug-debuginfo" which is the debuginfo for the debug kernel
(not the normal kernel).

/Peter K

Re: CVE-2016-5195 “DirtyCOW”: Critical Linux Kernel Fla

By Phelps, Matt at 10/25/2016 - 09:53

Bingo. That was it. Thanks!

Re: CVE-2016-5195 ?DirtyCOW?: Critical Linux Kernel Fla

By Zube at 10/22/2016 - 21:31

<a href="https://bugzilla.redhat.com/show_bug.cgi?id=1384344" title="https://bugzilla.redhat.com/show_bug.cgi?id=1384344">https://bugzilla.redhat.com/show_bug.cgi?id=1384344</a>

Comment #35 points to a link that doesn't depend on /proc/self/mem and
claims to work on CentOS 6 and 5. I'm not quite sure what I should
be looking for when I run the program, though.

I do hope Redhat releases patches soon.

Cheers,
Zube

Re: CVE-2016-5195 ?DirtyCOW?: Critical Linux Kernel Fla

By Leon Fauster at 10/23/2016 - 07:37

Am 23.10.2016 um 03:31 schrieb Zube < ... at stat dot colostate.edu>:

Its explained it the first line.

What's quite confusing, is Redhat's security rating: "only important"
and not critical. I see how security ratings are applied

"Flaws that require an authenticated remote user, a local user, or an
unlikely configuration are not classed as Critical impact." [1]

but such a bug should be weighted discretely.

[1] <a href="https://access.redhat.com/security/updates/classification/" title="https://access.redhat.com/security/updates/classification/">https://access.redhat.com/security/updates/classification/</a>