数据结构
网络
关系数据库管理系统
操作系统
Java
MS Excel
iOS
HTML
CSS
Android
Python
C 编程
C++
C#
MongoDB
MySQL
Javascript
PHP
物理学
化学
生物学
数学
英语
经济学
心理学
社会学
时尚研究
法律研究如何在 Ubuntu 上修复并保护 Linux 服务器免受 Dirty COW 漏洞的影响
在本文中,我们将学习如何修复 Dirty Cow Linux 漏洞。Dirty Cow Linux 漏洞于 2016 年 10 月 19 日被升级,因为它是在内核级别上的 Linux 操作系统中的权限提升漏洞,该漏洞被披露为 Dirty Cow,因为它会创建一个内核处理 COW(写时复制)的条件,该条件自 2007 年内核版本 2.6.22 以来就存在了很长时间,因为大多数服务器都面临风险。
Dirty Cow 意味着服务器上的普通用户或非特权用户将获得对所有可读文件的写访问权限,从而增加他们对系统的访问权限。
由于大多数 Linux 发行版已经发布了该漏洞的修复程序,因此您无需担心,因为本文将帮助您解决此问题。
检查 Ubuntu 机器中的漏洞
要检查漏洞是否影响 Linux 机器,我们必须运行以下命令:
如果 Linux 版本早于以下版本,则该 Linux 机器受到影响
- Ubuntu 16.10 的 4.8.0-26.28
- Ubuntu 16.04 LTS 的 4.4.0-45.66
- Ubuntu 14.04 LTS 的 3.13.0-100.147
- Ubuntu 12.04 LTS 的 3.2.0-113.155
- Debian 8 的 3.16.36-1+deb8u2
- Debian 7 的 3.2.82-1
- Debian 不稳定版本的 4.7.8-1
$ uname –rv Output: 2.6.32-314-ec2 #27-Ubuntu SMP Wed Mar 2 22:54:48 UTC 2011
修复 Dirty Cow 漏洞
我们可以直接从 Ubuntu 存储库应用修复程序,然后重新启动服务器
以下是更新 Ubuntu 机器上所有软件包的命令:
$ sudo apt-get update && sudo apt-get dist-upgrade Output: Get:1 http://security.ubuntu.com/ubuntu xenial-security InRelease [94.5 kB] Hit:2 http://in.archive.ubuntu.com/ubuntu xenial InRelease Hit:3 http://deb.kamailio.org/kamailio jessie InRelease Get:4 http://in.archive.ubuntu.com/ubuntu xenial-updates InRelease [95.7 kB] Hit:5 http://in.archive.ubuntu.com/ubuntu xenial-backports InRelease Fetched 190 kB in 6s (30.5 kB/s) Reading package lists... Done W: http://deb.kamailio.org/kamailio/dists/jessie/InRelease: Signature by key E79ACECB87D8DCD23A20AD2FFB40D3E6508EA4C8 uses weak digest algorithm (SHA1) Reading package lists... Done Building dependency tree Reading state information... Done Calculating upgrade... Done The following packages were automatically installed and are no longer required: linux-headers-4.4.0-21 linux-headers-4.4.0-21-generic linux-headers-4.4.0-38 linux-headers-4.4.0-38-generic linux-image-4.4.0-21-generic linux-image-4.4.0-38-generic linux-image-extra-4.4.0-21-generic linux-image-extra-4.4.0-38-generic Use 'sudo apt autoremove' to remove them. The following NEW packages will be installed: libpython3.5 snap-confine The following packages will be upgraded: apparmor apport apt apt-utils base-files bash bsdutils cloud-initramfs-copymods cloud-initramfs-dyn-netconf console-setup console-setup-linux dh-python distro-info-data dmidecode dpkg fuse grep grub-legacy-ec2 ifupdown init init-system-helpers initramfs-tools initramfs-tools-bin initramfs-tools-core isc-dhcp-client isc-dhcp-common kbd keyboard-configuration klibc-utils language-pack-en less libapparmor-perl libapparmor1 libapt-inst2.0 libapt-pkg5.0 libblkid1 libc-bin libc-dev-bin libc6 libc6-dev libdrm2 libfdisk1 libfuse2 libglib2.0-0 libglib2.0-data libgnutls-openssl27 libgnutls30 libklibc libldap-2.4-2 liblxc1 libmount1 libp11-kit0 libpam-systemd libplymouth4 libpython3.5-minimal libpython3.5-stdlib libsmartcols1 libsystemd0 libudev1 libuuid1 locales lsb-base lsb-release lxc-common lxcfs lxd lxd-client mdadm mount multiarch-support open-iscsi overlayroot plymouth plymouth-theme-ubuntu-text python3-apport python3-problem-report python3-software-properties python3-urllib3 python3.5 python3.5-minimal shared-mime-info snapd software-properties-common sudo systemd systemd-sysv ubuntu-core-launcher udev unattended-upgrades update-notifier-common util-linux vim vim-common vim-runtime vim-tiny vlan 96 upgraded, 2 newly installed, 0 to remove and 0 not upgraded. Need to get 52.3 MB of archives. After this operation, 18.5 MB of additional disk space will be used. Do you want to continue? [Y/n]Y Get:1 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 base-files amd64 9.4ubuntu4.3 [67.7 kB] Get:2 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 bash amd64 4.3-14ubuntu1.1 [583 kB] Get:3 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 bsdutils amd64 1:2.27.1-6ubuntu3.1 [51.8 kB] Get:4 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 dpkg amd64 1.18.4ubuntu1.1 [2,083 kB] Get:5 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 grep amd64 2.25-1~16.04.1 [153 kB] Get:6 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 init-system-helpers all 1.29ubuntu3 [32.4 kB] Get:7 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 init amd64 1.29ubuntu3 [4,716 B] Get:8 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 libpam-systemd amd64 229-4ubuntu12 [115 kB] Get:9 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 libudev1 amd64 229-4ubuntu12 [55.2 kB] Get:10 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 mdadm amd64 3.3-2ubuntu7.1 [394 kB] Get:11 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 udev amd64 229-4ubuntu12 [993 kB] Get:12 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 ifupdown amd64 0.8.10ubuntu1.1 [54.9 kB] Get:13 http://in.archive.ubuntu.com/ubuntu xenial-updates/main amd64 libsystemd0 amd64 229-4ubuntu12 [205 kB] … … … Setting up overlayroot (0.27ubuntu1.2) ... Setting up vlan (1.9-3.2ubuntu1.16.04.1) ... Installing new version of config file /etc/network/if-pre-up.d/vlan ... Setting up kbd (1.15.5-1ubuntu5) ... Setting up console-setup-linux (1.108ubuntu15.2) ... Installing new version of config file /etc/console-setup/compose.ISO-8859-1.inc ... Installing new version of config file /etc/console-setup/compose.ISO-8859-13.inc ... Installing new version of config file /etc/console-setup/compose.ISO-8859-14.inc ... Installing new version of config file /etc/console-setup/compose.ISO-8859-15.inc ... Installing new version of config file /etc/console-setup/compose.ISO-8859-2.inc ... Installing new version of config file /etc/console-setup/compose.ISO-8859-3.inc ... Installing new version of config file /etc/console-setup/compose.ISO-8859-4.inc ... Installing new version of config file /etc/console-setup/compose.ISO-8859-7.inc ... Installing new version of config file /etc/console-setup/compose.ISO-8859-9.inc ... Setting up liblxc1 (2.0.5-0ubuntu1~ubuntu16.04.2) ... Setting up lxc-common (2.0.5-0ubuntu1~ubuntu16.04.2) ... Installing new version of config file /etc/apparmor.d/abstractions/lxc/container-base ... Installing new version of config file /etc/apparmor.d/abstractions/lxc/start-container ... Setting up lxd (2.0.5-0ubuntu1~ubuntu16.04.1) ... Setting up console-setup (1.108ubuntu15.2) ... update-initramfs: deferring update (trigger activated) Processing triggers for initramfs-tools (0.122ubuntu8.5) ... update-initramfs: Generating /boot/initrd.img-4.4.0-47-generic W: mdadm: /etc/mdadm/mdadm.conf defines no arrays. Processing triggers for systemd (229-4ubuntu12) ... Processing triggers for ureadahead (0.100.0-19) ... Processing triggers for libc-bin (2.23-0ubuntu4) ...
系统更新后,我们需要重新启动机器,以下是重新启动机器的命令
$sudo init 6
更新后验证系统以进行内核更新
由于我们已升级软件包并更新了机器以修复 Dirty Cow 漏洞,因此我们需要检查补丁是否已应用。以下是验证的命令。
$ sudo uname -rv Output: 4.4.0-47-ec2 #68-Ubuntu SMP Wed Oct 26 19:39:52 UTC 2016
我们可以看到内核已从 2.6.32-314 更新到 4.4.0-47,因此 Linux 机器已免受 Dirty Cow 漏洞的影响。
在上面的文章中,我们学习了如何在 Linux 机器上检查 Dirty Cow 漏洞,我们还学习了如何修复 Dirty Cow 漏洞并进行验证。
更新于:2020 年 1 月 27 日
219 次查看
广告