GHOST –Another scary vulnerability that needs your attention!!
On January 27th 2015 the GHOST vulnerability was revealed to the public and has been assigned CVE-2015-0235 (Common Vulnerabilities and Exposures). The vulnerability is a buffer overflow bug in the glibc’s GetHost function. This is why it is called as the GHOST vulnerability. What is glibc? Impact Are you affected?
[root@test ~]# ldd --version
ldd (GNU libc) 2.12
Copyright (C) 2010 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
Test program that checks whether a system is vulnerable or not:
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#define CANARY "in_the_coal_mine"
struct {
char buffer[1024];
char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };
int main(void) {
struct hostent resbuf;
struct hostent *result;
int herrno;
int retval;
/*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
char name[sizeof(temp.buffer)];
memset(name, '0', len);
name[len] = '\0';
retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
if (strcmp(temp.canary, CANARY) != 0) {
puts("vulnerable");
exit(EXIT_SUCCESS);
}
if (retval == ERANGE) {
puts("not vulnerable");
exit(EXIT_SUCCESS);
}
puts("should not happen");
exit(EXIT_FAILURE);
}
Save this program under name GHOST.c
Compile the program by using below command:
#[root@test ~]$ gcc GHOST.c -o GHOST
On glibc-2.17 – On executing the above code
#[[email protected] ~]$ ./GHOST
Vulnerable
On glibc-2.18 – On executing the above code Yes, I’m affected. What’s next?
#[[email protected] ~]$ ./GHOST
Not vulnerable
For example:
RHEL/Centos
#sudo yum update glibc
Ubuntu/Debian
#sudo apt-get upgrade glibc
NOTE: Ubuntu/Debian uses a variant of glibc called eglibc.
Now check the version of the glibc. It must be equal or later to glibc-2.18.
NOTE: Some distros may provide a patch for the older version. If you find the version number less than 2.18 even after the update, please use the above test program to find if you are vulnerable or not.
The below command will list all the binaries which uses the glibc libraries.
#lsof | grep libc | awk '{print $1}' | sort | uniq
It will return a bunch of binaries, restarting all the services is tedious task and hence a reboot is necessary since the GNU C Library is used by many applications.
About ViSolve
ViSolve is a consulting firm that provides Enterprise services like Cloud Deployment, Monitoring, Support and Security. More information about ViSolve can be found here. To know more about enhancing your data security, drop us an e-mail – [email protected].