Dirty COW exploit patch

[caroseuk]

Morning ladies and gents,

I have a few CentOS servers running 7.x and have seen the latest report of the Dirty COW exploit (CVE-2016-5195).

Can anyone advise on the process of protecting my servers from this exploit?

I have run yum update but no packages/kernel are found for update.

Any recommendations would be greatly received

Thanks,

[giulix63]

Please, refer to RH BZ.

[caroseuk]

I have gone through it and downloaded the check script.

My servers are all vulnerable and the systemtap technique fails for me. (Kernel-dev package is different version to the running kernel) so it cannot run the .stp file.

[TrevorH]

So install the matching kernel-devel package then...

[caroseuk]

Hi Trevor, I've tried to but no sign of that package in the repos,

Output from $ sudo yum install kernel-devel-$(uname -r)

Loading mirror speeds from cached hostfile
* base: centos.hyve.com
* epel: mirrors.coreix.net
* extras: centos.hyve.com
* remi-php70: remi.check-update.co.uk
* remi-safe: remi.check-update.co.uk
* updates: centos.hyve.com
No package kernel-devel-3.10.0-229.20.1.el7.x86_64 available.
Error: Nothing to do

Upon looking at the installed kernel packages using "# rpm -qa kernel\* | sort"

kernel-3.10.0-229.20.1.el7.x86_64
kernel-3.10.0-327.28.2.el7.x86_64
kernel-3.10.0-327.28.3.el7.x86_64
kernel-3.10.0-327.36.1.el7.x86_64
kernel-3.10.0-327.36.2.el7.x86_64
kernel-devel-3.10.0-327.36.2.el7.x86_64
kernel-headers-3.10.0-327.36.2.el7.x86_64
kernel-tools-3.10.0-327.36.2.el7.x86_64
kernel-tools-libs-3.10.0-327.36.2.el7.x86_64

It looks like i'm using the 3.10.0-229.20.1.el7.x86_64 kernel, though after rebooting it doesn't seem to want to use the newer kernel..

Any ideas? Sorry i've only been using linux for 4/5 months so still getting to grips with it.

[TrevorH]

You're still running a 7.1 kernel which has been unsupported since the release of 7.2 in November last year. You should be running kernel-3.10.0-327.36.2.el7.x86_64 which is the latest available kernel. If you are rebooting and not getting the right kernel then either your /boot/grub2/grub.cfg is pointing at the wrong default kernel or you have a broken software RAID device in use for your /boot. Check in /proc/mdstat to see if it is using both devices if so.

[caroseuk]

Hi Trevor, thanks for the speedy response.

I managed to get it booting with the most up to date kernel. However when I try to run the mitigation script, I get :

Code: Select all

semantic error: while resolving probe point: identifier 'syscall' at dirty-cow-fix.stp:5:7
        source: probe syscall.ptrace {  // includes compat ptrace as well
                      ^

semantic error: no match

Which is apparently because I need the kernel-debuginfo package installed. However this is not found using the package manager

Any idea how I get this installed? Sorry for the noobish question.

[TrevorH]

The base-debuginfo repo is disabled by default - use --enablerepo=base=debuginfo on your yum command to temporarily enable it. As all debuginfo files go in the same repo and it contains the xen4centos builds too, you will need to explicitly install the matching one like yum --enablerepo=base-debuginfo install kernel-debuginfo-3.10.0-36.2.1.el7

[caroseuk]

Your a star! thanks Trevor, works a treat

I can panic less now.

Have a good weekend

[toracat]

Or you can use the debuginfo-install command (installed by yum-utils) like:

Code: Select all

debuginfo-install kernel-3.10.0-327.36.2.el7

Or

Code: Select all

debuginfo-install kernel-$(uname -r)

Note that you do not need to enable the base-debuginfo repo.