The another heartbreaking news for Linux administrators and users. The serious vulnerability has been detected on the Linux glibc library and they named this vulnerability as “GHOST” .The GNU C Library (glibc) is an implementation of the standard C library and a core part of the Linux operating system. This vulnerability allows hackers/attackers to take complete control of the system without knowing the system credentials.This security vulnerability has been tagged to CVE-2015-0235 on the National Vulnerability Database (NVD).This bug has been discovered by the Qualys security researchers .
GHOST is a ‘buffer overflow’ bug affecting the function calls gethostbyname() and gethostbyname2() in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application.
The first vulnerable version of the GNU C Library is glibc-2.2, released on November 10, 2000. Qualys security researchers identified a number of factors that mitigate the impact of this bug. In particular, they discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7,Ubuntu 12.04.
Redhat Linux:
How to identify whether system is vulnerability or not ?
1. Copy the below script to your system. (Ex: Filename = ghost.sh)
#!/bin/bash
uname -a
cat /etc/redhat-release
echo "Installed glibc version(s)"
rv=0
for glibc_nvr in $( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do
glibc_ver=$( echo "$glibc_nvr" | awk -F- '{ print $2 }' )
glibc_maj=$( echo "$glibc_ver" | awk -F. '{ print $1 }')
glibc_min=$( echo "$glibc_ver" | awk -F. '{ print $2 }')
echo -n "- $glibc_nvr: "
if [ "$glibc_maj" -gt 2 -o \
\( "$glibc_maj" -eq 2 -a "$glibc_min" -ge 18 \) ]; then
# fixed upstream version
echo 'not vulnerable'
else
# all RHEL updates include CVE in rpm %changelog
if rpm -q --changelog "$glibc_nvr" | grep -q 'CVE-2015-0235'; then
echo "not vulnerable"
else
echo "vulnerable"
rv=1
fi
fi
done
if [ $rv -ne 0 ]; then
cat <
Please refer to <https://access.redhat.com/articles/1332213> for remediation steps
EOF
fi
exit $rv
2.Make the file as executable.
[UnixArena# ~]$ chmod +x ghost.sh [UnixArena# ~]$ ./ghost.sh
3.Execute the script.
[UnixArena# ~]$ ./ghost.sh Vulnerable glibc version <= 2.17-54 Vulnerable glibc version <= 2.5-122 Vulnerable glibc version <= 2.12-1.148 Detected glibc version 2.5 revision 118 This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235> Please refer to <https://access.redhat.com/articles/1332213> for remediation steps [UnixArena# ~]$
If the system is not vulnerable , you will get the message like below.
Not vulnerable.
To eliminate the possibility of an exploit on Redhat Linux: (Refer: Redhat support article)
- Update the glibc and ncsd packages on your system using the packages released with the following errata:
- Restart vulnerable services that use glibc (since so many services use glibc, the safest option is to restart the system).
We just needs to follow the below to address the issue since its requires lot of dependencies.
# yum clean all
# yum repolist -v
# yum update glibc
# reboot
How to confirm whether system needs to restarted ? (Refer : Man Page)
You can use the below command to check whether the system require reboot after updating the glibc package.
# needs-restarting |wc -l 190
Please add if you find any thing to address this bug promptly.
Leave a Reply