如何在 Ubuntu 上修復並保護 Linux 伺服器免受 Dirty COW 漏洞的影響

在本文中，我們將學習如何修復 Dirty Cow Linux 漏洞。Dirty Cow Linux 漏洞於 2016 年 10 月 19 日被升級，因為它是在核心級別上的 Linux 作業系統中的許可權提升漏洞，該漏洞被披露為 Dirty Cow，因為它會建立一個核心處理 COW（寫時複製）的條件，該條件自 2007 年核心版本 2.6.22 以來就存在了很長時間，因為大多數伺服器都面臨風險。

Dirty Cow 意味著伺服器上的普通使用者或非特權使用者將獲得對所有可讀檔案的寫訪問許可權，從而增加他們對系統的訪問許可權。

由於大多數 Linux 發行版已經發布了該漏洞的修復程式，因此您無需擔心，因為本文將幫助您解決此問題。

檢查 Ubuntu 機器中的漏洞

要檢查漏洞是否影響 Linux 機器，我們必須執行以下命令：

如果 Linux 版本早於以下版本，則該 Linux 機器受到影響

• Ubuntu 16.10 的 4.8.0-26.28
• Ubuntu 16.04 LTS 的 4.4.0-45.66
• Ubuntu 14.04 LTS 的 3.13.0-100.147
• Ubuntu 12.04 LTS 的 3.2.0-113.155
• Debian 8 的 3.16.36-1+deb8u2
• Debian 7 的 3.2.82-1
• Debian 不穩定版本的 4.7.8-1

$ uname –rv
Output:
2.6.32-314-ec2 #27-Ubuntu SMP Wed Mar 2 22:54:48 UTC 2011

修復 Dirty Cow 漏洞

我們可以直接從 Ubuntu 儲存庫應用修復程式，然後重新啟動伺服器

以下是更新 Ubuntu 機器上所有軟體包的命令：

$ sudo apt-get update && sudo apt-get dist-upgrade
Output:
Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [94.5 kB]
Hit:2 http://in.archive.ubuntu.com/ubuntu xenial InRelease
Hit:3 http://deb.kamailio.org/kamailio jessie InRelease
Get:4 http://in.archive.ubuntu.com/ubuntu xenial-updates InRelease [95.7 kB]
Hit:5 http://in.archive.ubuntu.com/ubuntu xenial-backports InRelease
Fetched 190 kB in 6s (30.5 kB/s)
Reading package lists... Done
W: http://deb.kamailio.org/kamailio/dists/jessie/InRelease: Signature by key E79ACECB87D8DCD23A20AD2FFB40D3E6508EA4C8 uses weak digest algorithm (SHA1)
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
The following packages were automatically installed and are no longer required:
linux-headers-4.4.0-21 linux-headers-4.4.0-21-generic linux-headers-4.4.0-38
linux-headers-4.4.0-38-generic linux-image-4.4.0-21-generic linux-image-4.4.0-38-generic
linux-image-extra-4.4.0-21-generic linux-image-extra-4.4.0-38-generic
Use 'sudo apt autoremove' to remove them.
The following NEW packages will be installed:
libpython3.5 snap-confine
The following packages will be upgraded:
apparmor apport apt apt-utils base-files bash bsdutils cloud-initramfs-copymods
cloud-initramfs-dyn-netconf console-setup console-setup-linux dh-python distro-info-data
dmidecode dpkg fuse grep grub-legacy-ec2 ifupdown init init-system-helpers
initramfs-tools initramfs-tools-bin initramfs-tools-core isc-dhcp-client isc-dhcp-common
kbd keyboard-configuration klibc-utils language-pack-en less libapparmor-perl
libapparmor1 libapt-inst2.0 libapt-pkg5.0 libblkid1 libc-bin libc-dev-bin libc6 libc6-dev
libdrm2 libfdisk1 libfuse2 libglib2.0-0 libglib2.0-data libgnutls-openssl27 libgnutls30
libklibc libldap-2.4-2 liblxc1 libmount1 libp11-kit0 libpam-systemd libplymouth4
libpython3.5-minimal libpython3.5-stdlib libsmartcols1 libsystemd0 libudev1 libuuid1
locales lsb-base lsb-release lxc-common lxcfs lxd lxd-client mdadm mount
multiarch-support open-iscsi overlayroot plymouth plymouth-theme-ubuntu-text
python3-apport python3-problem-report python3-software-properties python3-urllib3
python3.5 python3.5-minimal shared-mime-info snapd software-properties-common sudo
systemd systemd-sysv ubuntu-core-launcher udev unattended-upgrades update-notifier-common
util-linux vim vim-common vim-runtime vim-tiny vlan
96 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 52.3 MB of archives.
After this operation, 18.5 MB of additional disk space will be used.
Do you want to continue? [Y/n]Y
Get:1 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 base-files amd64 9.4ubuntu4.3 [67.7 kB]
Get:2 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 bash amd64 4.3-14ubuntu1.1 [583 kB]
Get:3 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 bsdutils amd64 1:2.27.1-6ubuntu3.1 [51.8 kB]
Get:4 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 dpkg amd64 1.18.4ubuntu1.1 [2,083 kB]
Get:5 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 grep amd64 2.25-1~16.04.1 [153 kB]
Get:6 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 init-system-helpers all 1.29ubuntu3 [32.4 kB]
Get:7 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 init amd64 1.29ubuntu3 [4,716 B]
Get:8 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 libpam-systemd amd64 229-4ubuntu12 [115 kB]
Get:9 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 libudev1 amd64 229-4ubuntu12 [55.2 kB]
Get:10 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 mdadm amd64 3.3-2ubuntu7.1 [394 kB]
Get:11 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 udev amd64 229-4ubuntu12 [993 kB]
Get:12 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 ifupdown amd64 0.8.10ubuntu1.1 [54.9 kB]
Get:13 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 libsystemd0 amd64 229-4ubuntu12 [205 kB]
…
…
…
Setting up overlayroot (0.27ubuntu1.2) ...
Setting up vlan (1.9-3.2ubuntu1.16.04.1) ...
Installing new version of config file /etc/network/if-pre-up.d/vlan ...
Setting up kbd (1.15.5-1ubuntu5) ...
Setting up console-setup-linux (1.108ubuntu15.2) ...
Installing new version of config file /etc/console-setup/compose.ISO-8859-1.inc ...
Installing new version of config file /etc/console-setup/compose.ISO-8859-13.inc ...
Installing new version of config file /etc/console-setup/compose.ISO-8859-14.inc ...
Installing new version of config file /etc/console-setup/compose.ISO-8859-15.inc ...
Installing new version of config file /etc/console-setup/compose.ISO-8859-2.inc ...
Installing new version of config file /etc/console-setup/compose.ISO-8859-3.inc ...
Installing new version of config file /etc/console-setup/compose.ISO-8859-4.inc ...
Installing new version of config file /etc/console-setup/compose.ISO-8859-7.inc ...
Installing new version of config file /etc/console-setup/compose.ISO-8859-9.inc ...
Setting up liblxc1 (2.0.5-0ubuntu1~ubuntu16.04.2) ...
Setting up lxc-common (2.0.5-0ubuntu1~ubuntu16.04.2) ...
Installing new version of config file /etc/apparmor.d/abstractions/lxc/container-base ...
Installing new version of config file /etc/apparmor.d/abstractions/lxc/start-container ...
Setting up lxd (2.0.5-0ubuntu1~ubuntu16.04.1) ...
Setting up console-setup (1.108ubuntu15.2) ...
update-initramfs: deferring update (trigger activated)
Processing triggers for initramfs-tools (0.122ubuntu8.5) ...
update-initramfs: Generating /boot/initrd.img-4.4.0-47-generic
W: mdadm: /etc/mdadm/mdadm.conf defines no arrays.
Processing triggers for systemd (229-4ubuntu12) ...
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for libc-bin (2.23-0ubuntu4) ...

系統更新後，我們需要重新啟動機器，以下是重新啟動機器的命令

$sudo init 6

更新後驗證系統以進行核心更新

由於我們已升級軟體包並更新了機器以修復 Dirty Cow 漏洞，因此我們需要檢查補丁是否已應用。以下是驗證的命令。

$ sudo uname -rv
Output:
4.4.0-47-ec2 #68-Ubuntu SMP Wed Oct 26 19:39:52 UTC 2016

我們可以看到核心已從 2.6.32-314 更新到 4.4.0-47，因此 Linux 機器已免受 Dirty Cow 漏洞的影響。

在上面的文章中，我們學習瞭如何在 Linux 機器上檢查 Dirty Cow 漏洞，我們還學習瞭如何修復 Dirty Cow 漏洞並進行驗證。

Sharon Christine

更新於：2020 年 1 月 27 日

219 次檢視

開啟你的 職業生涯

透過完成課程獲得認證

開始學習