CVE-2016-5195, Also known as "Dirty CoW" is a Local Privilege Escalation vulnerability in Linux Kernel 2.6.22 and higher. This impacts some of the most popular OSs like:
- Red Hat Enterprise Linux 7.x
- Red Hat Enterprise Linux 6.x
- Red Hat Enterprise Linux 5.x
- CentOS Linux 7.x
- CentOS Linux 6.x
- CentOS Linux 5.x
- Debian Linux wheezy
- Debian Linux jessie
- Debian Linux stretch
- Debian Linux sid
- Ubuntu Linux precise (LTS 12.04)
- Ubuntu Linux trusty
- Ubuntu Linux xenial (LTS 16.04)
- Ubuntu Linux yakkety
- Ubuntu Linux vivid/ubuntu-core
- SUSE Linux Enterprise 11 and 12.
For more technical information please view this link.
This exploit is being used perpetrate a DDoS attack against Dyn DNS which has caused outages for some popular services like Netflix, Hulu, Paypal, Etsy and CNN to name a few.
Several hosting providers are suffering outages from their connections being saturated from the attacks as well now.
Below is an image of outages for Level3 Networks.
So What does this mean for me?
Websites and servers are continually being bombarded with malicious hacking attempts. Most providers have some sort of basic protection to protect from brute force attacks, but that is only one form of a very basic attack.
If a site gets compromised through a security exploit in code or weak passwords, scripts like shell viewers can be uploaded. This means that a malicious user now has full access to the accounts files like web data, potentially emails and database information for that account. Historically,
Historically, that is where an attack would end, but due to 'Dirty CoW', a single infected site could mean that all sites and services on the server are now compromised.
Ok, now you have me sufficiently scared, what do I do?
This post isn't meant to be fire and brimstone, but it is important for users to understand and protect themselves.
At the time of this blog post being written, there is still no patch widely available for most of the Linux distributions, meaning most hosting providers are still vulnerable. (Edit 5:07PM Patches have been released upstream, so servers should be able to be patched now.)
So the best course of action at this point is prevention. This means:
- Make sure any custom code or plugins you use are secure and up-to-date.
- If you use a CMS (like WordPress, Joomla or Drupal) make sure you are using the latest release.
- Use security plugins/modules where possible to watch for and detect suspicious activity on your sites.
- Use strong passwords.
Once the security patch for Dirty CoW is released we will be patching all our servers, until then we will continue to monitor and work to protect our clients.
As an added security measure for our customers, we use an adaptive firewall that pulls down lists of known malicious hosts and infected systems, blocking them before they actually have a chance to attack our customers. On average, we block between 8000 and 12000 malicious attacks daily, and is included with all of our plans.
Should you have any questions about hosting please feel free to contact us here.