Skip to main content

Linux Bug - Dirty COW

Recently World of Linux come across yet another bug which is haunting the nix users all over the world. This bug has given a name COW and its associated CVE number is CVE-2016-5195.

Its kind of funny how this bug get their names, this too grab my attention when i first heard about it as COW ! i laughed out like what ? :)

For Freelance Work & Queries Contact me by Email Id

Background :

later when I started reading about this bug in details got to know how this bug got his name, which nothing but a "copy-on-write" technique which Linux kernel uses to maintain the private read -only memory mapping and this technique have some flaws in it since 2007 woohooo that was way long back.

In other words if i have to say is this bugs allow a server to become completely compromised through local privilege escalation. This vulnerability is specific to the Linux Kernel, and exploiting this vulnerability does require a local system user (compromised or not) to run malicious code to obtain admin privileges. Despite this requirement, this is a high priority security patch that should be patched as soon as possible due to its severity.

How to Check if your System is vulnerable:

Run the below script to check whether you system are affected by this bug or not.

copy and paste below content in file say and give it executable permission

# Version: 1.3



MITIGATION_ON='CVE-2016-5195 mitigation loaded'
MITIGATION_OFF='CVE-2016-5195 mitigation unloaded'

    # RHEL5

    # RHEL6

    # RHEL7

    # RHEL5

    # RHEL6

    # RHEL7


running_kernel=$( uname -r )

# Check supported platform
if [[ "$running_kernel" != *".el"[5-7]* ]]; then
    echo -e "${RED}This script is only meant to detect vulnerable kernels on Red Hat Enterprise Linux 5, 6 and 7.${RESET}"
    exit 4

# Check kernel if it is vulnerable
for tested_kernel in "${VULNERABLE_VERSIONS[@]}"; do
        if [[ "$running_kernel" == *"$tested_kernel"* ]]; then

# Check if kpatch is installed
modules=$( lsmod )
for tested_kpatch in "${KPATCH_MODULE_NAMES[@]}"; do
    if [[ "$modules" == *"$tested_kpatch"* ]]; then

# Check mitigation
while read -r line; do
    if [[ "$line" == *"$MITIGATION_ON"* ]]; then
    elif [[ "$line" == *"$MITIGATION_OFF"* ]]; then
done < <( dmesg )

# Result interpretation
if (( mitigated )); then
if [[ ! "$vulnerable_kernel" ]]; then
elif [[ "$applied_kpatch" ]]; then

# Print result
if [[ ${result} == "$SAFE_KERNEL" ]]; then
    echo -e "${GREEN}Your kernel is ${RESET}$running_kernel${GREEN} which is NOT vulnerable.${RESET}"
    exit 0
elif [[ ${result} == "$SAFE_KPATCH" ]]; then
    echo -e "Your kernel is $running_kernel which is normally vulnerable."
    echo -e "${GREEN}However, you have kpatch ${RESET}$applied_kpatch${GREEN} applied, which fixes the vulnerability.${RESET}"
    exit 1
elif [[ ${result} == "$MITIGATED" ]]; then
    echo -e "${YELLOW}Your kernel is ${RESET}$running_kernel${YELLOW} which IS vulnerable.${RESET}"
    echo -e "${YELLOW}You have a partial mitigation applied.${RESET}"
    echo -e "This mitigation protects against most common attack vectors which are already exploited in the wild,"
    echo -e "but does not protect against all possible attack vectors."
    echo -e "Red Hat recommends that you update your kernel as soon as possible."
    exit 2
    echo -e "${RED}Your kernel is ${RESET}$running_kernel${RED} which IS vulnerable.${RESET}"
    echo -e "Red Hat recommends that you update your kernel. Alternatively, you can apply partial"
    echo -e "mitigation described at ."
    exit 3 

run it as below

 Ex : ./ it will show you whether your system is affected or not.

How to Apply Fix if affected

Once you know that you system is affected, you have to update the kernel for your system to get rid of this bug, but you need to know based on you system which version of kernel would be needed to resolve this issue, So here is the base version list as per OS version which you need to install. Minimum this version would be needed to to clean the dirty COW :)

RHEL 5 :


 RHEL 6 :





4.8.0-26.28 for Ubuntu 16.10
4.4.0-45.66 for Ubuntu 16.04 LTS
3.13.0-100.147 for Ubuntu 14.04 LTS
3.2.0-113.155 for Ubuntu 12.04 LTS


3.16.36-1+deb8u2 for Debian 8
3.2.82-1 for Debian 7
4.7.8-1 for Debian unstable  

Note : And reboot required for new kernel to take effect

Preparation :

Your server might be important to you and for that you need to follow below steps so that after reboot all the services should be running as previous

     रिबूट के पहले (Before Reboot) :

                As you have done with installing kernel packages make sure to check
  1. All the necessary services are made chkconfig to start upon server reboot
  2. If you have any mount points it should be umount first and need to remount after server reboot
  3. Take backup of Database if you are rebooting the mysql production just a precautionary measure.
  4.  Put the site on maintenance mode by showing 503 status code
  5. reboot the server.

      रिबूट  के बाद (After Reboot) :

  1. Check new version of Kernel is showing or not by running command uname -a
  2. Run above script again to verify.
  3. Check if all necessary services are UP and running.
  4. Check mounts points
  5. Check if emails are going or not.
  6. Check connectivity between server.
  7. Check the production/stage site hosted on a server.
You are good now, be happy till the NEW BUG hit the Linux World :) :D LOL   

References :  



Contact support@linuxforeveryone for any Freelancing work on Linux Servers

Subscribe my YouTube Channel 

Like My Facebook Page 

Browse the Best in class Web Hosting Plans


  1. I all the time used to study piece of writing in news papers but now as I am a user of net
    thus from now I am using net for content, thanks to

  2. Good day! Do you know if hey make any plugins to safeguard against hackers?
    I'm kinda paranoid about losing everything I've
    worked hard on. Any tips?
    beasiswa mahasiswa s1

    1. Which technology/OS distro you are aiming for ? There is no such ready made plugins available which can prevent from hackers (may be wordpress is providing such for their blog users). But in General our best practices (under it there are several option though)for Server/Application Plus some custom build script on server and modules on application can prevents hackers from exploiting our systems in cost effective way. Else there is always scope of vertical scaling to your environment by introducing IDS,IPS,WAF. your thoughts ?

  3. This site certainly has all of thhe information and facts I wanted concerning this subject and didn't know
    who to ask.
    pelajaran mata kuliah manajemen

  4. Hello i am kavin, its my first time to commenting anywhere,
    when i reaad this article i thought i could also create comment ddue
    to this good post.
    universitas jurusan teknik sipil

  5. Pretty nice post. I just stumbled upon your weblog and wished
    to say that I've truly enjoyed browsing your blog posts.
    In any case I will be subscribing to your rss feed and I hope you write
    again soon!

  6. WOW just what I was looking for. Came here by searching for american roulette wheel

  7. Hello, i think that i noticed you visited my weblog thus i got here to return the choose?.I'm attempting to
    find things to enhance my website!I guess its ok to make
    use of a few of your concepts!!

  8. Share the weblog again, so that i can revisit again ;) BTW Thank you :)

  9. What i don't understood is in fact how you're now not actually a lot more well-appreciated than you might be right
    now. You are so intelligent. You recognize thus significantly in the case
    of this matter, made me in my view imagine it from so many varied angles.
    Its like women and men are not involved until it is something to accomplish with Girl gaga!
    Your own stuffs outstanding. At all times take care of it up!

  10. Online Casino Site - Lucky Club
    Online Casino is a modern and secure online casino where players can enjoy a wide variety of luckyclub casino games and games. With over 100 games and a huge range of  Rating: 5 · ‎1 vote


Post a Comment

Popular posts from this blog

Solution and Step to fix CVE-2019-5736 Vulnerability - Docker

Recently a new vulnerability has been discovered in the the internet market having target to Docker services. What is this Vulnerability: In short, Docker service uses another service called as runc which is container run time to spawn and run containers. which simply means if docker task is to create docker images then runc task would be running them and attaching a process to container. So as per the recent discovery by the maintainers of runc, the code of this service was having some bug which can be used by attackers to gain the root level of access of the host machine on which docker containers are running. How it can be Exploited: This vulnerability can be exploited in two ways (1) if the docker images are in use is vulnerable making the containers build from it vulnerable also (2) if somehow attacker got the access of containers and then trying to exploit using the bug present in runc and trying to get root privileges. Solution to Fix Vulnerability: Ce

How to Generate CSR using Openssl in Linux

Before Generating CSR ,let see what is Openssl. It is nothing but a core library ,which is used for general purpose in cryptography,it is an open source product which work towards the implementation of SSL and TLS protocols. Talking about openssl, some people called the certificates generated from openssl as "self signed certificate". lets go towards now,creating CSR and private key using openssl command, Just log in to any of your Linux box and run following command as  root user  replacing the required information as per your need . [root@SVR home]#   openssl req -new -newkey  rsa:2048 -nodes -sha256 -out domain_name.csr -keyout domain_name.key -subj "/C=US/ST=state/L=locality/O=organization/OU=organization unit Dept/"  You will get output like : Then check whether ,all the information we have entered ,while creating CSR is proper ,by decoding the CSR from some online tool. First do the cat to the csr file [root@SVR home]#  cat

Multiple instances of redis

In the last post I have covered how to install redis server on Centos/Rhel using rpm method and yum method and some troubleshooting skills. In this post i am going to cover how to install and configure redis to run with multiple ports.                                                                           But why we need more ports ? If you have read my earlier post , you already know that by default redis runs on single port 6379, which any one can use it for small website to cache the data. But for heavy website like magento we need to use additional ports along with 6379 to serve different cache from different ports. Like in Magento there is simple cache which is normally stored under /var/cache directory. Then there is Full Page Cache which is stored under /var/full_page_cache and session cache which is stored under /var/session_cache. Note : Discussion about cache/full page cache/session is not under the scope for this document.