A privilege escalation bug in the Linux kernel was recently made public, that has gone unnoticed since 2007! It’s name is derived from the “Copy-on-Write” mechanism that is being exploited. The bug allows a user to gain write access to parts in the memory that are otherwise read-only, thus increasing their access rights inside the system.
What systems are affected by it ?
Since the vulnerability exists in the Linux kernel’s memory manager, all Linux systems that have a kernel newer than 2.6.22 are being affected. This potentially includes Android devices too, but the attacker needs to be able to execute code locally in order to exploit this vulnerability.
- The wheezy release with version 3.2.78-1
- The jessie release with version 3.16.36-1+deb8u1
- All SUSE Linux Enterprise kernels after SUSE Linux Enterprise 11 and all openSUSE kernels.
- All Ubuntu systems since 2007.
- Several 5.x, 6.x and 7.x Redhat Enterprise Linux editions (see the Errata section in the link above)
What can I do to protect myself?
If you use Pressidium to host your website you need not worry about it at all. We’ve upgraded all of our systems to the latest kernel version that includes the security patch. The upgrade took place in a seamless manner without any web service disruption.
Normally patching the kernel requires a reboot (which means downtime for your website, and your visitors). However, with our High Availability infrastructure, maintenance operations like these take place while your website stays online, happily serving users.
If you use Linux in the desktop, or manage a server on your own, issuing a system update is enough to patch your system against the bug.
On Ubuntu and Debian, use the following commands:
$ sudo apt-get update
Once that is finished issue the following:
$ sudo apt-get dist-upgrade
On yum-based systems such as CentOS and Redhat, update the kernel with the following command:
$ sudo yum update kernel
Don’t forget to do a reboot in order to apply the changes with sudo reboot in all cases.
Regarding Android devices, Google released a supplemental patch fix for Nexus and Pixel devices. However, the official security fix will be released in the December Android Security bulletin. Read the official announcement here.
Samsung released an official patch fix on their November 2016 Android Security update.