• Home
  • linux
  • How To Patch and Protect Linux Server Against the Glibc GHOST Vulnerability # CVE-2015-0235

How To Patch and Protect Linux Server Against the Glibc GHOST Vulnerability # CVE-2015-0235

omid linux, training January 5, 2018

A

very serious security problem has been found in the GNU C Library (Glibc) called GHOST. How can I fix GHOST vulnerability and protect my Linux server against the attack? How do I verify that my server has been fixed against the Glibc GHOST vulnerability?

 

A very serious security problem has been found and patched in the GNU C Library called Glibc. It was announced on 27th January 2015.

What is the GHOST security bug?

 

From the RHEL bugzilla:

A heap-based buffer overflow was found in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call. A remote attacker could use this flaw to execute arbitary code with the permissions of the user running the application.

A mailing list entry with more details, including in-depth analysis and exploit vectors is here.

What C library (Glibc) version does my Linux system use?

The easiest way to check the version number is to run the following command:

ldd –version

Sample outputs from RHEL/CentOS Linux v6.6:

ldd (GNU libc) 2.12

Copyright (C) 2010 Free Software Foundation, Inc.

This is free software; see the source for copying conditions.  There is NO

warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Written by Roland McGrath and Ulrich Drepper.

Sample outputs from Ubuntu Linux 12.04.5 LTS:

ldd (Ubuntu EGLIBC 2.15-0ubuntu10.9) 2.15

Copyright (C) 2012 Free Software Foundation, Inc.

This is free software; see the source for copying conditions.  There is NO

warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Written by Roland McGrath and Ulrich Drepper.

Sample outputs from Debian Linux v7.8:

ldd (Debian EGLIBC 2.13-38+deb7u6) 2.13

Copyright (C) 2011 Free Software Foundation, Inc.

This is free software; see the source for copying conditions.  There is NO

warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Written by Roland McGrath and Ulrich Drepper.

A list of affected Linux distros

RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x

CentOS Linux version 5.x, 6.x & 7.x

Ubuntu Linux version 10.04, 12.04 LTS

Debian Linux version 7.x

Linux Mint version 13.0

Fedora Linux version 19 or older

SUSE Linux Enterprise 11 and older (also OpenSuse Linux 11 or older versions).

SUSE Linux Enterprise Software Development Kit 11 SP3

SUSE Linux Enterprise Server 11 SP3 for VMware

SUSE Linux Enterprise Server 11 SP3

SUSE Linux Enterprise Server 11 SP2 LTSS

SUSE Linux Enterprise Server 11 SP1 LTSS

SUSE Linux Enterprise Server 10 SP4 LTSS

SUSE Linux Enterprise Desktop 11 SP3

Arch Linux glibc version <= 2.18-1

GHOST vulnerability check

You can test or reproduce the bug using the following C code:

/* ghosttest.c:  GHOST vulnerability tester */

/* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */

#include <netdb.h>

#include <stdio.h>

#include <stdlib.h>

#include <string.h>

#include <errno.h>

 

#define CANARY  in_the_coal_mine

 

struct {

char buffer[1024];

char canary[sizeof(CANARY)];

} temp = {  buffer , CANARY };

 

int main(void) {

struct hostent resbuf;

struct hostent *result;

int herrno;

int retval;

 

/*** strlen (name) = size_needed – sizeof (*host_addr) – sizeof (*h_addr_ptrs) – 1; ***/

size_t len = sizeof(temp.buffer) – 16*sizeof(unsigned char) – 2*sizeof(char *) – 1;

char name[sizeof(temp.buffer)];

memset(name,  0 , len);

name[len] =  \0 ;

 

retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

 

if (strcmp(temp.canary, CANARY) != 0) {

puts( vulnerable );

exit(EXIT_SUCCESS);

}

if (retval == ERANGE) {

puts( not vulnerable );

exit(EXIT_SUCCESS);

}

puts( should not happen );

exit(EXIT_FAILURE);

}

Compile and run it as follows:

$ gcc ghosttest.c -o ghosttest

$ ./ghosttest

Sample outputs from patched Debian v7.8 server:

not vulnerable

Sample outputs from unpatched Ubuntu 12.04 LTS server:

vulnerable

How do list packages/applications depends upon vulnerable Glibc?

Type the following lsof command:

lsof | grep libc | awk  {print $1}  | sort | uniq

Sample outputs from my Debian Linux v7.x nas:

Fig.01: Linux find all the services/applications that rely on the GNU C libraries (Glibc) command

Fix the GHOST vulnerability on a CentOS/RHEL/Fedora/Scientific Linux

Type the following yum command as the root user:

sudo yum clean all

sudo yum update

Finally, reboot RHEL/SL/Fedora/CentOS Linux server by typing the following command:

Sysadmin should plan on updating as soon as possible or use maintenance reboot window ##

sudo reboot

Sample outputs:

Fig.02 Fix the GHOST vulnerability on a CentOS/RHEL/Fedora/Scientific Linux

Fix the GHOST vulnerability on a Ubuntu Linux

Type the following apt-get command as the root user:

sudo apt-get clean

sudo apt-get update

sudo apt-get upgrade

only run dist-upgrade on a Ubuntu if you want to upgrade kernel too

sudo apt-get dist-upgrade

Finally, reboot Ubuntu Linux server by typing the following command:

sudo reboot

Sample outputs:

Fig.03: Fix the GHOST vulnerability on a Ubuntu Linux LTS

Fix the GHOST vulnerability on a Debian Linux

Type the following apt-get command as the root user:

sudo apt-get clean

sudo apt-get update

sudo apt-get upgrade

No need to do dist-upgrade (see man page: man apt-get)

sudo apt-get dist-upgrade

Finally, reboot Debian Linux server by typing the following command:

sudo reboot

Sample session:

Gif 01: Fix the GHOST vulnerability on a Debian Linux server

Fix the GHOST vulnerability on a SUSE Linux Enterprise

To install this SUSE Security Update use YaST online_update. Or use the following commands as per your version:

SUSE Linux Enterprise Software Development Kit 11 SP3

zypper in -t patch sdksp3-glibc-10206

SUSE Linux Enterprise Server 11 SP3 for VMware

zypper in -t patch slessp3-glibc-10206

SUSE Linux Enterprise Server 11 SP3

zypper in -t patch slessp3-glibc-10206

SUSE Linux Enterprise Server 11 SP2 LTSS

zypper in -t patch slessp2-glibc-10204

SUSE Linux Enterprise Server 11 SP1 LTSS

zypper in -t patch slessp1-glibc-10202

SUSE Linux Enterprise Desktop 11 SP3

zypper in -t patch sledsp3-glibc-10206

Finally run for all SUSE linux version to bring your system up-to-date:

zypper patch

Fix the GHOST vulnerability on a OpenSUSE Linux

To see a list of available updates including glibc on a OpenSUSE Linux, enter:

# zypper lu

 

To simply update installed glibc packages with their newer available versions, run:

# zypper up

How can I verify that my Linux system no longer vulnerable after the reboot?

Method #1: The easiest way to check vulnerability and/or confirm remediation is to run the following command to verify that you are running an updated version of Glibc:

$ ldd –version

Method #2: Run the instructions given in the previous section called GHOST vulnerability check (generic method for all Linux based systems).

Method #3: If you are RHN subscriber see the Red Hat Access Lab: GHOST tool (only for RHEL/CentOS/SL systems – download link):

#!/bin/bash

# rhel-GHOST-test.sh –  GHOST vulnerability tester. Only for CentOS/RHEL based servers.  #

# Version 3

# Credit : Red Hat, Inc – https://access.redhat.com/labs/ghost/ #

echo  Installed glibc version(s)

 

rv=0

for glibc_nvr in $( rpm -q –qf  %{name}-%{version}-%{release}.%{arch}\n  glibc ); do

glibc_ver=$( echo  $glibc_nvr  | awk -F-  { print $2 }  )

glibc_maj=$( echo  $glibc_ver  | awk -F.  { print $1 } )

glibc_min=$( echo  $glibc_ver  | awk -F.  { print $2 } )

 

echo -n  – $glibc_nvr:

if [  $glibc_maj  -gt 2   -o  \

\(  $glibc_maj  -eq 2  -a   $glibc_min  -ge 18 \) ]; then

# fixed upstream version

echo  not vulnerable

else

# all RHEL updates include CVE in rpm %changelog

if rpm -q –changelog  $glibc_nvr  | grep -q  CVE-2015-0235 ; then

echo  not vulnerable

else

echo  vulnerable

rv=1

fi

fi

done

 

if [ $rv -ne 0 ]; then

cat <<EOF

 

This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>

Please refer to <https://access.redhat.com/articles/1332213> for remediation steps

EOF

fi

 

exit $rv

Sample outputs from patched RHEL v6.8 server:

bash rhel-GHOST-test.sh

Installed glibc version(s)

  • glibc-2.12-1.149.el6_6.5.x86_64: not vulnerable
  • – glibc-2.12-1.149.el6_6.5.i686: not vulnerable
  • This entry is 2 of 2 in the Linux GHOST Glibc Critical Security Vulnerability series. Keep reading the rest of the series:
  • Check Ghost Vulnerability Test Programs
  • Secure and Patch Your Linux Server For Ghost Bug

 

Leave a Reply

Your email address will not be published. Required fields are marked *

X
How To Patch and Protect Linux Server Against the Glibc GHOST Vulnerability # CVE-2015-0235

  • info@shopingserver.com

    Online Support

  • 0015672054520

    Mon-Fri 8am-5pm
Purchase Now