CVE-2015-0235: Newly discovered GHOST glibc library vulnerability

The GHOST vulnerability, which has been assigned CVE-2015-0235, is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials.

GHOST is a ‘buffer overflow’ bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker to execute arbitrary code with the permissions of the user running the application.

The gethostbyname() function calls are used for DNS reesolving, which is a very common event. To exploit this vulnerability, an attacker must trigger a buffer ovrflow by supplying an invalid hostname argument to an application that then calls gethostbyname().

Affected linux server distros

  • CentOS Linux version 5.x, 6.x & 7.x
  • Ubuntu Linux version 10.04, 12.04 LTS
  • Debian Linux version 7.x

How to check if the vulnerability is present on your server?

You can use the below test to check if your system is vulnerable.

  1. Download ghosttest.c program’s source code here
  2. Compile the script: [root@L1workplace ~]# gcc GHOST.c -o GHOST
  3. Execute the script: [root@L1workplace ~]# ./GHOST

Output for the script would be one of the following:

  • Vulnerable: This output indicates that you are vulnerable to GHOST Vulnerability & you have to follow the recommendations.
  • Not Vulnerable: This output indicates that you need not worry about upgrading glibc but should still restart networked services in case they have not been restarted since glibc was last upgraded.
  • Should not happen: This output indicates that your script has not run properly.

This command shows the programs that depends on glibc on your machine:

shell> lsof | grep libc | awk ‘{print $1}’ | sort | uniq

Recommendations and Fixes:

1. Update the glibc packages on your system.

On CentOS 5.x/6.x/7.x :

shell> yum –disableplugin=fastestmirror upgrade glibc
[ This may also upgrade glibc-common, glibc-headers, glibc-devel and nscd packages ]

On Ubuntu and Debian :

shell> apt-get update
shell> apt-get install libc-bin libc-dev-bin libc6 libc6-dev

2. Restart vulnerable services listening on the machine’s public IP or 0.0.0.0 :

shell> netstat -tulnp | grep -v 127.0.0.1

For managed customers, we are in process of applying the necessary patches.
Please mail us at support@e2enetworks.com for any queries that you may have.