Skip to main content

Your submission was sent successfully! Close

Thank you for signing up for our newsletter!
In these regular emails you will find the latest updates from Canonical and upcoming events where you can meet our team.Close

Thank you for contacting us. A member of our team will be in touch shortly. Close

  1. Blog
  2. Article

Dustin Kirkland
on 31 October 2016

Dirty COW was livepatched in Ubuntu within hours of publication


If you haven’t heard about last week’s Dirty COW vulnerability, I hope all of your Linux systems are automatically patching themselves…

Why? Because every single Linux-based phone, router, modem, tablet, desktop, PC, server, virtual machine, and absolutely everything in between — including all versions of Ubuntu since 2007 — was vulnerable to this face-palming critical security vulnerability.

Any non-root local user of a vulnerable system can easily exploit the vulnerability and become the root user in a matter of a few seconds. Watch…

Coincidentally, just before the vulnerability was published, we released the Canonical Livepatch Service for Ubuntu 16.04 LTS. The thousands of users who enabled canonical-livepatch on their Ubuntu 16.04 LTS systems with those first few hours received and applied the fix to Dirty COW, automatically, in the background, and without rebooting!

If you haven’t already enabled the Canonical Livepatch Service on your Ubuntu 16.04 LTS systems, you should really consider doing so, with 3 easy steps:

  1. Go to https://ubuntu.com/livepatch and retrieve your livepatch token
    Install the canonical-livepatch snap
    $ sudo snap install canonical-livepatch
  2. Enable the service with your token
    $ sudo canonical-livepatch enable [TOKEN]

And you’re done! You can check the status at any time using:

$ canonical-livepatch status --verbose

Let’s retry that same vulnerability, on the same system, but this time, having been livepatched…

Aha! Thwarted!

So that’s the Ubuntu 16.04 LTS kernel space… What about userspace? Most of the other recent, branded vulnerabilities (Heartbleed, ShellShock, CRIME, BEAST) have been critical vulnerabilities in userspace packages.

As of Ubuntu 16.04 LTS, the unattended-upgrades package is now part of the default package set, so you should already have it installed on your Ubuntu desktops and servers. If you don’t already have it installed, you can install it with:

$ sudo apt install unattended-upgrades

And moreover, as of Ubuntu 16.04 LTS, the unattended-upgrades package automatically downloads and installs important security updates once per day, automatically patching critical security vulnerabilities and keeping your Ubuntu systems safe by default. Older versions of Ubuntu (or Ubuntu systems that upgraded to 16.04) might need to enable this behavior using:

$ sudo dpkg-reconfigure unattended-upgrades

With that combination enabled — (1) automatic livepatches to your kernel, plus (2) automatic application of security package updates — Ubuntu 16.04 LTS is the most secure Linux distribution to date. Period.

If you want to enable the Canonical Livepatch Service on more than three machines, please purchase an Ubuntu Advantage support package from buy.ubuntu.com or get in touch.

Related posts


Rajan Patel
28 February 2022

An overview of live kernel patching

Cloud and server Article

Learn how Canonical improves security on Linux with live kernel patching. Track Livepatch activity over time in Landscape. ...


Canonical
14 September 2021

Ubuntu Livepatch on-prem reduces downtime and unplanned work on enterprise environments!

Canonical announcements Article

London, United Kingdom – Canonical announces Ubuntu Livepatch on-prem, an enhancement to its Ubuntu Livepatch service enabling organisations to take control of their kernel livepatching policy. Designed for complex enterprise environments that follow their own patch rollout policy, Ubuntu Livepatch on-prem provides the basis for an effici ...


Linux kernel Livepatching

Cloud and server Article

Ubuntu Livepatch is the service and the software that enables organizations to quickly patch vulnerabilities on the Ubuntu Linux kernels. Livepatch provides uninterrupted service while reducing fire drills during high and critical severity kernel vulnerabilities. It is a complex technology and the details can be confusing, so in this post ...