who ya gonna call? GHOST Vulnerability

The GHOST vulnerability [CVE-2015-0235] can be exploited on Linux systems that use versions of the GNU C Library prior to glibc-2.18. Systems that use an unpatched version of glibc from versions 2.2 to 2.17 are at risk.

Its a buffer overflow bug affecting the gethostbyname() and gethostbyname2() function calls. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application.

Check System Vulnerability

To test if your servers are vulnerable to GHOST, check the version of glibc that is in use.

Ubuntu & Debian

To check the version of glibc run the following command:

ldd --version

The first line of the output will contain the version of eglibc, the variant of glibc that Ubuntu and Debian use. for example:

ldd (Ubuntu EGLIBC 2.15-0ubuntu10.10) 2.15
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

If the version of eglibc matches, or is more recent than the ones listed here, you are safe from the GHOST vulnerability:

  • Ubuntu 12.04 LTS: 2.15-0ubuntu10.10
  • Ubuntu 10.04 LTS: 2.11.1-0ubuntu7.20
  • Debian 7 LTS: 2.13-38+deb7u7

If the version of eglibc is older than the ones listed here, your system is vulnerable to GHOST and should be updated.

CentOS & RHEL

To check the version of glibc with rpm:

rpm -q glibc

The output should look like this:

glibc-2.12-1.149.el6_6.5.x86_64

If the version of glibc matches, or is more recent than the ones listed here, you are safe from the GHOST vulnerability:

  • CentOS 6: glibc-2.12-1.149.el6_6.5
  • CentOS 7: glibc-2.17-55.el7_0.5
  • RHEL 5: glibc-2.5-123.el5_11.1
  • RHEL 6: glibc-2.12-1.149.el6_6.5
  • RHEL 7: glibc-2.17-55.el7_0.5

If the version of glibc is older than the ones listed here, your system is vulnerable to GHOST and should be updated.

Fix Vulnerability

The easiest way to fix the GHOST vulnerability is to use your default package manager to update the version of glibc. The following subsections cover updating glibc on various Linux distributions, including Ubuntu, Debian, CentOS, and Red Hat.

APT-GET: Ubuntu / Debian

For currently supported versions of Ubuntu or Debian, update all of your packages to the latest version available via apt-get dist-upgrade:

sudo apt-get update && sudo apt-get dist-upgrade

Then respond to the confirmation prompt with y.

When the update is complete, reboot the server with this command:

sudo reboot

A reboot is necessary since the GNU C Library is used by many applications that must be restarted to use the updated library.

YUM: CentOS / RHEL

Update glibc to the latest version available via yum:

sudo yum update glibc

Then respond to the confirmation prompt with y.

When the update is complete, reboot the server with this command:

sudo reboot

A reboot is necessary since the GNU C Library is used by many applications that must be restarted to use the updated library.

Leave a Reply

Your email address will not be published. Required fields are marked *