It’s well-known that the tech community is a big fan of weird and wonderful nicknames for their vulnerabilities, but while the name of the new one – ‘Dirty COW’ – is particularly special, don’t let the tongue-in-cheek name fool you; it’s affecting Linux in a big way and there are steps you need to take to protect yourself.
What is Dirty COW?
Last Friday news hit the headlines about a new Linux vulnerability, officially operating under the slightly less-fun name CVE–2016–5195, known to most as Dirty COW. It’s been wandering about in systems for the best part of nine years, which means that it’s likely a lot will be affected; for example, it’s been confirmed that the bug affects Android systems.
The name came from the fact that it exploits a mechanism called ‘copy-on-write’ and is known as a privilege escalation bug. This means that if attackers manage to get a foot inside your system they can then use Dirty COW to take total control.
Dirty COW was found by researcher Phil Oester who says the vulnerability is already being exploited in the wild, so it’s crucial to protect yourself, fast. Which leads me nicely onto my second point…
What do customers need to do?
The bug is already patched in some of the Linux big-hitters, including Red Hat, Debian and Ubuntu, so now it’s down to you to make sure you’re up to date with your updates. You know as well as I do that it’s important to regularly apply updates to get new patches, and when a new threat is disclosed it’s a perfect time to do another check of your distro.
It’s also important to note that if a server is vulnerable, once it has been updated it must be rebooted. If you’re a UKFast client, you can choose to do this through your MyUKFast Package Manager screen.
**It’s very important that once you’ve updated you reboot, otherwise the patch won’t take effect and you will not be protected.**
As a more long term view, consider employing a threat monitoring solution, which acts like an alarm fence around your system so that you’re alerted as soon as anything weird happens; most threats can lie undetected for months or even years inside a company’s system, which equates to a LOT of data-stealing opportunities.
What we’ve done at UKFast
We’ve identified the servers that are vulnerable, so that once you’re patched and have rebooted you’ll be protected, and if you’re at all concerned give your account manager a call.
*Update: The CENTOS5 and RHEL5 patches have now also been released*