Most of us knew about GHOST (CVE-2015-0235) Vulnerability which was identified yesterday (27-Jan-2015) by Openwall Project and patches also released to all the linux distribution.
What is GHOST Vulnerability
The GHOST vulnerability is a weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.
During a code audit performed internally at Qualys, we discovered a buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library (glibc). This bug is reachable both locally and remotely via the gethostbyname*() functions, so we decided to analyze it — and its
impact — thoroughly, and named this vulnerability “GHOST” taken from Qualys website.
How to identify GHOST Vulnerability
Run the below command. If you get results like “- Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533).” your system is not Vulnerable. If you dodn’t get any results means your server having glibc vulnerablilty.
root@2daygeek [~]# rpm -q --changelog glibc | grep CVE-2015-0235
How to fix GHOST Vulnerability
Check whether glibc pacakge update is available or not. If available , update glibc package and Re-run the above command that’s it.
# Check glibc package update # root@2daygeek [~]# yum list glibc Loaded plugins: fastestmirror, security Loading mirror speeds from cached hostfile * base: mirror.mhd.uk.as44574.net * extras: mirrors.coreix.net * updates: mirrors.coreix.net base | 3.7 kB 00:00 extras | 3.4 kB 00:00 updates | 3.4 kB 00:00 Installed Packages glibc.i686 2.12-1.132.el6_5.2 @updates glibc.x86_64 2.12-1.132.el6_5.2 @updates Available Packages glibc.i686 2.12-1.149.el6_6.5 updates glibc.x86_64 2.12-1.149.el6_6.5 updates # Upgrade glibc package # root@2daygeek [~]# yum update glibc # Check whether GHOST Vulnerability is fixed by running below command # root@2daygeek [~]# rpm -q --changelog glibc | grep CVE-2015-0235 - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533). - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533). # For Ubuntu/Debian/LinuxMint # root@2daygeek [~]# sudo apt-get update && sudo apt-get upgrade && sudo apt-get dist-upgrade
Finally reboot the server once.
Reference link for more details :
qualys : https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
mitre : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
openwall : http://www.openwall.com/lists/oss-security/2015/01/27/9
redhat : https://access.redhat.com/security/cve/CVE-2015-0235
centos : http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html
Redhat : https://access.redhat.com/articles/1332213
Does this output mean the server is no more vulnerable?
– Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533).
– Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533).
@ Jolly,
Yes, its fixed.
Hi ,
If I update only “glibc” ,then is it required to run below update command in centos :
yum clean
yum update
@shyam,
Not necessary to perform those commands but make sure your system upto date..If u have doubt then run yum update.
Dear Sir,
Reboot server is compulsory ?
Regards,
Bhavesh
Hi,
It’s not necessary because patch updated successfully. For safer side we can do.
Okay.. Thanks
Patel,
Welcome.