CentOS - Oct 2016 - CVE-2016-5195 DirtyCOW : Critical Linux Kernel Flaw

On Sat, 22 Oct 2016, Valeri Galtsev wrote:
> On Sat, October 22, 2016 7:49 pm, Valeri Galtsev wrote:
>> Dear All,
>>
>> I guess, we all have to urgently apply workaround, following, say,
this:
>>
>>
https://gryzli.info/2016/10/21/protect-cve-2016-5195-dirtycow-centos-7rhel7cpanelcloudlinux/
>>
>> At least those of us who still have important multi user machines
running
>> Linux.
>
> I should have said CentOS 7. Older ones (CentOS 6 and 5) are not
vulnerable.
Patch is out on RHEL side:

https://rhn.redhat.com/errata/RHSA-2016-2098.html

*******************************************************************************
Gilbert Sebenste                                                    ********
(My opinions only!)                                                  ******
*******************************************************************************

What is the best approach on centos 6 to mitigate the problem is 
officially patched? As far as I can tell Centos 6 is vulnerable to 
attacks using ptrace.

There is a mitigation described here

https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13

which doesn't fix the underlying problem, but at least protects against 
known attack vectors. However, I'm unsure if the script only applies to 
Centos 7, or if it also works on Centos 6?

Cheers, Christian

On 24-10-2016 18:29, Gilbert Sebenste wrote:
> On Sat, 22 Oct 2016, Valeri Galtsev wrote:
>
>> On Sat, October 22, 2016 7:49 pm, Valeri Galtsev wrote:
>>> Dear All,
>>>
>>> I guess, we all have to urgently apply workaround, following, say, 
>>> this:
>>>
>>>
https://gryzli.info/2016/10/21/protect-cve-2016-5195-dirtycow-centos-7rhel7cpanelcloudlinux/
>>>
>>>
>>> At least those of us who still have important multi user machines 
>>> running
>>> Linux.
>>
>> I should have said CentOS 7. Older ones (CentOS 6 and 5) are not 
>> vulnerable.
>
> Patch is out on RHEL side:
>
> https://rhn.redhat.com/errata/RHSA-2016-2098.html
>
>
*******************************************************************************
>
> Gilbert Sebenste ********
> (My opinions only!)                                                  
> ******
>
*******************************************************************************
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

On Tue, Oct 25, 2016 at 4:06 AM, Christian Anthon <anthon at rth.dk>
wrote:
> What is the best approach on centos 6 to mitigate the problem is
> officially patched? As far as I can tell Centos 6 is vulnerable to attacks
> using ptrace.
>
> There is a mitigation described here
>
> https://bugzilla.redhat.com/show_bug.cgi?id=1384344#c13
>
> which doesn't fix the underlying problem, but at least protects against
> known attack vectors. However, I'm unsure if the script only applies to
> Centos 7, or if it also works on Centos 6?
>
> Cheers, Christian
>
>
I have not been able to get this script to work on CentOS 6.8

I've installed kernel-debug, kernel-devel, kernel-debug-devel,
kernel-debug-debuginfo, kernel-debuginfo-common and I still get:

stap -g -p 4 dirtyc0w.stp
semantic error: while resolving probe point: identifier 'syscall' at
dirtyc0w.stp:5:7
        source: probe syscall.ptrace {
                      ^

semantic error: no match

Pass 2: analysis failed.  [man error::pass2]


Anybody have any success with this?

-- 
Matt Phelps
System Administrator, Computation Facility
Harvard - Smithsonian Center for Astrophysics
mphelps at cfa.harvard.edu, http://www.cfa.harvard.edu


On 24-10-2016 18:29, Gilbert Sebenste wrote:
>
>> On Sat, 22 Oct 2016, Valeri Galtsev wrote:
>>
>> On Sat, October 22, 2016 7:49 pm, Valeri Galtsev wrote:
>>>
>>>> Dear All,
>>>>
>>>> I guess, we all have to urgently apply workaround, following,
say, this:
>>>>
>>>> https://gryzli.info/2016/10/21/protect-cve-2016-5195-dirtyco
>>>> w-centos-7rhel7cpanelcloudlinux/
>>>>
>>>> At least those of us who still have important multi user
machines
>>>> running
>>>> Linux.
>>>>
>>>
>>> I should have said CentOS 7. Older ones (CentOS 6 and 5) are not
>>> vulnerable.
>>>
>>
>> Patch is out on RHEL side:
>>
>> https://rhn.redhat.com/errata/RHSA-2016-2098.html
>>
>>
*******************************************************************************
>>
>> Gilbert Sebenste ********
>> (My opinions only!)
>> ******
>>
*******************************************************************************
>>
>> _______________________________________________
>> CentOS mailing list
>> CentOS at centos.org
>> https://lists.centos.org/mailman/listinfo/centos
>>
>>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos
>

On Tue, 25 Oct 2016 10:06:12 +0200
Christian Anthon <anthon at rth.dk> wrote:
> What is the best approach on centos 6 to mitigate the problem is 
> officially patched? As far as I can tell Centos 6 is vulnerable to 
> attacks using ptrace.
I can confirm that c6 is vulnerable, we're running a patched kernel
(local build) using a rhel6 adaptation of the upstream fix.

Ask off-list if you want an src.rpm

/Peter K