GHOST: glibc gethostbyname buffer overflow (CVE-2015-0235)

Vulnerability description:

A heap-based buffer overflow was found in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call. A remote attacker could use this flaw to execute arbitary code with the permissions of the user running an affected application.

The number of bytes an attacker can execute is limited to four bytes on a 32-bit system and eight bytes on a 64-bit system. Despite this limitation the threat is very real since that code could cause the execution of other more complex code that may disclose information or cause damage.

The vulnerability has been nicknamed GHOST because of its relation to the _gethostbyname function.

Common Vulnerabilities and Exposures (CVE):

    •    CVE-2015-0235: web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235 

Affected versions:

Even though this vulnerability was fixed more than a year before it was announced, the vulnerability was actually not known when the version that fixes it was released. This vulnerability was introduced in glibc 2.2 which was released November 10, 2000.  The vulnerability was resolved in glibc version 2.18 which was released August 12, 2013.  Servers and workstations installed or last updated between those dates are vulnerable to this buffer overflow and may allow remote code execution.

This bug may be present in all versions of Red Hat Enterprise Linux and variants (CentOS etc.) as well as Ubuntu/Debian and variant systems.

How to verify if your server is vulnerable:

Check the version of the GNU C Library in use on the system to ensure it is not a vulnerable version by running the following command:

ldd --version

If your system is using a vulnerable version of glibc you can find what software is affected by this vulnerability by executing the following command as root: (execution by a non-root user will provide incomplete results)

lsof | grep libc | awk '{print $1}' | sort | uniq

Please note the version numbers on Ubuntu, Debian and derivative systems for the eglibc package are different than the actual glibc version.  

Resolution:

Update the GNU C Library should be enough.  You *must* reboot the computer or at least stop and restart services using the old version after upgrading glibc since running services will still be using the old version in memory until they are restarted.

For RedHat Enterprise Linux (RHEL) and derivative systems (CentOS, Red Hat, Fedora, Scientific Linux etc):

yum update glibc

For Debian, Ubuntu and derivatives of those distributions:

apt-get update && apt-get -y install libc6

 

Alternatively one might want to upgrade their entire system:

Care should be taken when updating a system in case newer versions of software introduce interoperability or backwards compatibility issues especially if there are many updates to be made.  Most modern linux distributions update fairly seamlessly but if the distribution is grossly out of date there may be issues.  

NOTE: Always have full backups before attempting any major change.  

In rare cases, instead of updating an entire system, it may be necessary to only update certain packages or even downgrade glibc to a version prior to glibc 2.2.  

For RedHat Enterprise Linux (RHEL) and derivative systems (CentOS, Red Hat, Fedora, Scientific Linux etc):

yum clean all && yum update

For Debian, Ubuntu and derivatives of those distributions:

apt-get clean && apt-get update && apt-get upgrade

External references:

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk