GHOST Vulnerability

Most of us knew about GHOST (CVE-2015-0235) Vulnerability which was identified yesterday (27-Jan-2015) by Openwall Project and patches also released to all the linux distribution.

What is GHOST Vulnerability

The GHOST vulnerability is a weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.

During a code audit performed internally at Qualys, we discovered a buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library (glibc). This bug is reachable both locally and remotely via the gethostbyname*() functions, so we decided to analyze it — and its
impact — thoroughly, and named this vulnerability “GHOST” taken from Qualys website.

How to identify GHOST Vulnerability

Run the below command. If you get results like “- Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533).” your system is not Vulnerable. If you dodn’t get any results means your server having glibc vulnerablilty.

root@2daygeek [~]# rpm -q --changelog glibc | grep CVE-2015-0235

How to fix GHOST Vulnerability

Check whether glibc pacakge update is available or not. If available , update glibc package and Re-run the above command that’s it.

# Check glibc package update #
root@2daygeek [~]# yum list glibc
Loaded plugins: fastestmirror, security
Loading mirror speeds from cached hostfile
 * base: mirror.mhd.uk.as44574.net
 * extras: mirrors.coreix.net
 * updates: mirrors.coreix.net
base                                                                                                                     | 3.7 kB     00:00     
extras                                                                                                                   | 3.4 kB     00:00     
updates                                                                                                                  | 3.4 kB     00:00     
Installed Packages
glibc.i686                                                       2.12-1.132.el6_5.2                                                     @updates
glibc.x86_64                                                     2.12-1.132.el6_5.2                                                     @updates
Available Packages
glibc.i686                                                       2.12-1.149.el6_6.5                                                     updates 
glibc.x86_64                                                     2.12-1.149.el6_6.5                                                     updates 

# Upgrade glibc package  #
root@2daygeek [~]# yum update glibc

# Check whether GHOST Vulnerability is fixed by running below command  #
root@2daygeek [~]# rpm -q --changelog glibc | grep CVE-2015-0235
- Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533).
- Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533).

#  For Ubuntu/Debian/LinuxMint  #
root@2daygeek [~]# sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade

Finally reboot the server once.

Reference link for more details :
qualys : https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
mitre : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
openwall : http://www.openwall.com/lists/oss-security/2015/01/27/9
redhat : https://access.redhat.com/security/cve/CVE-2015-0235
centos : http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html
Redhat : https://access.redhat.com/articles/1332213

About Prakash Subramanian

Prakash Subramanian is a Linux lover and has 3.5+ years of experience in linux server administration with major Linux distribution such as (RHEL, CentOS, Ubuntu). He is currently working as a Senior L2 Linux Server administrator.

View all posts by Prakash Subramanian

8 Comments on “GHOST Vulnerability”

  1. Does this output mean the server is no more vulnerable?

    – Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533).
    – Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533).

  2. Hi ,

    If I update only “glibc” ,then is it required to run below update command in centos :
    yum clean
    yum update

Leave a Reply

Your email address will not be published. Required fields are marked *