Standing a Ghost of a Chance With GHOST

By - January 28, 2015

The seemingly endless parade of vulnerabilities recently found in legacy code that characterized much of 2014 continues into 2015 with the issuance of CVE-2015-0235 which was published as a security advisory by the security vendor Qualys on Tuesday the 27th of January.

What is it?

The vulnerability called “GHOST” is due to a buffer overflow in a function that is part of the GNU C Library (glibc) and can be triggered either locally or remotely through a very common programming function that is part of this library.

Whereas there are some limitations, the vulnerability appears to be exploitable and can result in arbitrary code execution on vulnerable systems. The GHOST vulnerability dates back to November 10, 2000 with the release of glibc-2.2. The issue was fixed in the latest version of glibc (released after May 2013), however many stable and long term support distributions do not include the update as the security issue was not known until recently.

What is impacted?

This bug is present in all versions of Red Hat Enterprise Linux and variants (CentOS etc.) as well as Debian and Ubuntu systems.

Many servers, services and programs that rely on glibc’s gethostbyname() and certain other functions that are used to resolve domain name system look-up requests are vulnerable unless glibc has been updated. This includes services such as mail servers, web/http servers, MySQL servers, SSH servers, and more. Any program that does a DNS lookup can potentially trigger this overflow.

What do I do next?

Look for package updates from your distribution vendor. Red Hat has released the CVE publicly, check in to follow their progress in putting together an update. CentOS is preparing a release and may have one already by the time you are reading this. Debian and Ubuntu have already released package updates.

The best course of action is to use your preferred package management tool to do a general update of your system – for example “yum clean all && yum update” on RHEL, CentOS, and Fedora or “apt-get clean && apt-get update && apt-get upgrade” on Debian and Ubuntu.

Once you have updated your systems, services that rely on glibc will need to be restarted – if you can’t simply reboot your systems you can find out which programs use glibc using the lsof command: “lsof | grep libc | awk ‘{print $1}’ | sort | uniq”.

Receive Posts by Email

Subscribe and receive notifications of new posts by email.