GHOST Vulnerability Advisory

By Terry Dolbey and Matt Stiles

1- Background on CVE-2015-0235 (GHOST)

GNU C Library (glibc) is the implementation of the C library used by the GNU project. This library provides the core functionality to Unix and Linux (Nix) based Operating Systems and access to common functions used by applications installed on the Operating Systems.

The “__nss_hostname_digits_dots()” function within glibc was identified as vulnerable to a heap-based buffer overflow exploit. This vulnerability was given the name GHOST and corresponds to the following reference: CVE-2015-0235. The bug can be reached by the use of the “gethostbyname()” and, “gethostbyname2()” functions, which perform a DNS resolution of a hostname to an IP address.

Successful remote exploitation of the vulnerability could allow a cyber-criminal to gain remote access to a system, while local exploitation could be used for a privilege escalation attack with the goal of increasing the cyber-criminals privilege level.


2- Who is affected

Currently the GHOST vulnerability affects GNU C libraries from glibc-2.2, which was release in the year 2000, to a recent version of glibc-2.18 released in August 2013. This affects both 32 bit and 64 bit releases of the glibc libraries.

A few popular Nix based operating systems that are currently affected include Debian 7 (Wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, and Ubuntu 12.04 and prior. Furthermore, any other Nix based operating system that was released prior to August 2013 may also be affected.

As this is a core Nix library, several software packages that require the specific set of functions from “gethostbyname*()” in glibc are affected by this vulnerability. A non-exhaustive list of the Nix software packages that have been validated as vulnerable include:

  • Exim SMTP mail server
  • Clockdiff
  • Procmail
  • Pppd (ms-wins, ms-dns and socket options)
  • Ping (special conditions required)
  • Arping (special conditions required)


3- How can you identify if you are vulnerable

Red Hat/CentOS

The following command can be used to detect the version of glibc library installed:

rpm –query –info glibc

Debian/Ubuntu

Similarly, the following commands can be used to determine the version of glibc installed on Debian/Ubuntu based systems.

dkpg –s libc6

This will return information related to the affected package including the version installed of the glibc libraries. Any version number between 2.2 and 2.18 can be assumed as vulnerable and requires patching.

 

4- How can you remediate

Shearwater recommends performing an upgrade of all Nix based systems affected to the secure September 2014 release of glibc (glibc-2.20).


Redhat/CentOS Upgrade Process

To perform the update of the glibc on Red hat and CentOS based distributions, follow the below instructions:

1- Clear the package cache on the system.

sudo yum clean all

2- Perform a package update.

sudo yum update glibc

3- Install the package update.

During the update process, a prompt asking if it is ok to install the updates will appear.


Debian/Ubuntu Upgrade Process

1- Clear the package cache on the system.

sudo apt-get clean

Note: This will remove all packages from the package cache. “apt-get autoclean” will only remove packages that are no longer install on the system from cache.

2- Perform a package update.

sudo apt-get update glibc

3- Install the package update.

sudo apt-get upgrade glibc


5- How can we help

If required there are several ways in which we can assist. These include:

  • Identifying vulnerable services
  • Prioritising patch deployment
  • Assisting with risk management

Shearwater is dedicated to its customers’ security, and are always happy to provide advice. If any assistance is required please contact us via email to: seh@shearwater.com.au or via phone on: 1300 228 872