Ghost Vulnerability

A very serious security problem has been found and patched in the GNU C Library called Glibc. It was announced on 27th January 2015.

Here are the affected Linux distros:

  • RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x
  • CentOS Linux version 5.x, 6.x & 7.x
  • Ubuntu Linux version 10.04, 12.04 LTS
  • Debian Linux version 7.x
  • Linux Mint version 13.0
  • Fedora Linux version 19 or older
  • SUSE Linux Enterprise 11 and older (also OpenSuse Linux 11 or older versions).
  • SUSE Linux Enterprise Software Development Kit 11 SP3
  • SUSE Linux Enterprise Server 11 SP3 for VMware
  • SUSE Linux Enterprise Server 11 SP3
  • SUSE Linux Enterprise Server 11 SP2 LTSS
  • SUSE Linux Enterprise Server 11 SP1 LTSS
  • SUSE Linux Enterprise Server 10 SP4 LTSS
  • SUSE Linux Enterprise Desktop 11 SP3
  • Arch Linux glibc version <= 2.18-1

Read More to Fix the GHOST vulnerability on a CentOS/RHEL/Fedora/Ubuntu Linux

What is it?

A heap-based buffer overflow was found in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call.

How can it hurt me?

A remote attacker could use this flaw to execute arbitary code with the permissions of the user running the application.

How to Check if I am vulnerable?

Check the version for the C library (Glibc).

# ldd --version

Note that, at least on CentOS 6 and likely on RHEL6, the ldd –version command will still return 2.12 even after the update. One can check the rpm package version to see if the system was updated (see the full package list at https://rhn.redhat.com/errata/RHSA-2015-0092.html). The 2.12 library was patched, not replaced by a newer version. For example:

# rpm -q glibc
glibc-2.12-1.149.el6_6.5.i686

RHEL/CentOS Linux v6.6:

[root@cloud1 ~]# ldd --version
ldd (GNU libc) 2.12
Copyright (C) 2010 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

Test C Program

# wget http://geekdecoder.com/files/GHOST.c

Compile it:

# gcc -o GHOST GHOST.c

Test it:

# ./GHOST

Sample outputs:

# ./GHOST
vulnerable

GHOST-test.sh Vulnerability Test Bash Script

Get the script

# wget http://geekdecoder.com/files/GHOST-test.sh

Run it

# bash GHOST-test.sh

Output:

]# ./GHOST-test.sh
Installed glibc version(s)
- glibc-2.12-1.132.el6.x86_64: vulnerable

This system is vulnerable to CVE-2015-0235. &lt;https://access.redhat.com/security/cve/CVE-2015-0235&gt;
Please refer to &lt;https://access.redhat.com/articles/1332213&gt; for remediation steps

How to Fix it

CentOS/RHEL/Fedora/

Type the following yum command as the root user:

# yum clean all
# yum update

Finally, reboot

# sudo reboot

Ubuntu Linux

Type the following apt-get command as the root user:

# sudo apt-get clean
# sudo apt-get update
# sudo apt-get upgrade
## only run dist-upgrade on a Ubuntu if you want to upgrade kernel too
##sudo apt-get dist-upgrade

Finally, reboot Ubuntu Linux server by typing the following command:


# sudo reboot

** Reboot is necessary because currently running processes loaded on the old libs, and are vulnerable even after the glibc update. The reboot will force them to read the new libs.

If, after patching, you’re able to manually restart services listed with the following command a reboot shouldn’t be necessary:

# lsof | grep libc | awk '{print $1}' | sort | uniq

Sources:

http://www.cyberciti.biz/faq/cve-2015-0235-patch-ghost-on-debian-ubuntu-fedora-centos-rhel-linux/
http://www.cyberciti.biz/faq/cve-2015-0235-ghost-glibc-buffer-overflow-linux-test-program/

Leave a Comment