Magento – how to solve Dirty COW Linux OS Vulnerability Dirty COW (CVE-2016-5195)

linuxmagento-1magento-communitymagento2Security

There's a serious vulnerability that affects most Linux Operating Systems, CVE-2016-5195, also known as DIRTY COW (yes, the name sounds silly but the problem is serious!).
for more .. https://dirtycow.ninja/

Dirty COW (CVE-2016-5195) is a privilege escalation vulnerability in the Linux Kernel that can allow a local user (like a web hosting account) to gain root access to the server. This can also be a huge problem if your Magento store is compromised and the attacker has the ability to upload files to your server or hosting account.

The vulnerability is present in all major Linux Operating Systems and security researchers have detected in the wild (ITW) attacks even before security patches were released by the various operating systems

https://magento.com/security/vulnerabilities/new-linux-operating-system-vulnerability

Best Answer

See below references might helps: https://magento.com/security/vulnerabilities/new-linux-operating-system-vulnerability

https://goo.gl/WyzMdF

Applying patches manually with no SSH access

You have a good point here. The patches are supplied as .sh files and there is no solution offered by Magento for FTP only websites.

I suggest one would copy his website's code to a local environment through FTP (you would probably have that already). Then apply the patch by running the .sh file.

Now you need to find out which files you need to upload again. If you would open the .sh patch file, then you will see it consist of two sections:

Bash shell code to apply the patch. This code is general for every patch.
The actual patch in the form of a unified patch format. This indicates only the lines in files that were changed (including some context lines). This starts below the line __PATCHFILE_FOLLOWS__

From the second section you could read which files were/are affected by the patch. You need to upload these files again to your FTP or... you could just upload everything.

Applying manually without bash/shell

If you can't run .sh files (in Windows), then you could extract the second section of the patch (the unified patch) and apply it manually with a patching tool (or for example through PHPStorm).
The website Magentary.com provides ZIP files for each Magento version containing the patched files only.

Patches in current & future releases?

The patches that are released right now apply to all versions that were already released. Of course, might Magento release a new version (major or minor). Then they will contain all security patches as Magento will also apply the patches to their development code base naturally (these patches even originate from that code base ;)).

UPDATE:
Every last patch Magento has also released new versions of Magento CE and EE already containing the specific latest patch. See the Release Archive tab on the Magento download page.

Check this sheet, maintained by JH, for which patches to install for which Magento CE and EE version: https://docs.google.com/spreadsheets/d/1MTbU9Bq130zrrsJwLIB9d8qnGfYZnkm4jBlfNaBF19M

Magento – Magento Security Report TLSv1.0 Vulnerability

TLSv1.0 - its in your webserver SSL settings. you can safely disable it.

name your admin path as you like, something random.

obviously magento just reinvented the bicycle again, working in their own world...

you can use old good scanners:

https://magescan.com/  
https://www.magereport.com/

Best Answer

Related Solutions

Magento 1.9 Security Patches – How to Download and Install Without SSH

Applying patches manually with no SSH access

Applying manually without bash/shell

Patches in current & future releases?

Magento – Magento Security Report TLSv1.0 Vulnerability

Related Topic