CVE-2015-0235, is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. GHOST is a 'buffer overflow' bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker to execute arbitrary code with the permissions of the user running the application. The gethostbyname() function calls are used for DNS reesolving, which is a very common event. To exploit this vulnerability, an attacker must trigger a buffer ovrflow by supplying an invalid hostname argument to an application that then calls gethostbyname(). Affected linux server distros
- CentOS Linux version 5.x, 6.x & 7.x
- Ubuntu Linux version 10.04, 12.04 LTS
- Debian Linux version 7.x
How to check if the vulnerability is present on your server? You can use the below test to check if your system is vulnerable.
- Download ghosttest.c program's source code here
- Compile the script: [root@L1workplace ~]# gcc GHOST.c -o GHOST
- Execute the script: [root@L1workplace ~]# ./GHOST
Output for the script would be one of the following:
- Vulnerable: This output indicates that you are vulnerable to GHOST Vulnerability & you have to follow the recommendations.
- Not Vulnerable: This output indicates that you need not worry about upgrading glibc but should still restart networked services in case they have not been restarted since glibc was last upgraded.
- Should not happen: This output indicates that your script has not run properly.
This command shows the programs that depends on glibc on your machine:shell> lsof | grep libc | awk '{print $1}' | sort | uniqRecommendations and Fixes:1. Update the glibc packages on your system.On CentOS 5.x/6.x/7.x :shell> yum --disableplugin=fastestmirror upgrade glibc[ This may also upgrade glibc-common, glibc-headers, glibc-devel and nscd packages ]On Ubuntu and Debian :shell> apt-get updateshell> apt-get install libc-bin libc-dev-bin libc6 libc6-dev2. Restart vulnerable services listening on the machine's public IP or 0.0.0.0 :shell> netstat -tulnp | grep -v 127.0.0.1For managed customers, we are in process of applying the necessary patches.Please mail us at support@e2enetworks.com for any queries that you may have.Check the pricing of our offerings here
