The Ghost vulnerability – CVE-2015-0235

by | Jan 29, 2015 | OpenSource | 0 comments

So there we have another vulnerability affecting the world of opensource. Nick-named as GHOST Vulnerability,  it affects the glibc library shipped along with the linux systems. It has been assigned CVE-2015-0235

As per redhat, GHOST is a ‘buffer overflow’ bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library.

If this vulnerability is exploited, it allows a remote attacker to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application. The   attacker can trigger a buffer overflow by supplying an invalid hostname argument to an application which uses gethostbyname() function.

You can check if your server is vulnerable executing the following checker in your server.

# vi ghost.sh

#!/bin/bash
#Version 3
# Credit : Red Hat, Inc - https://access.redhat.com/labs/ghost/
echo "Installed glibc version(s)"

rv=0
for glibc_nvr in $( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do
glibc_ver=$( echo "$glibc_nvr" | awk -F- '{ print $2 }' )
glibc_maj=$( echo "$glibc_ver" | awk -F. '{ print $1 }')
glibc_min=$( echo "$glibc_ver" | awk -F. '{ print $2 }')

echo -n "- $glibc_nvr: "
if [ "$glibc_maj" -gt 2 -o \
\( "$glibc_maj" -eq 2 -a "$glibc_min" -ge 18 \) ]; then
# fixed upstream version
echo 'not vulnerable'
else
# all RHEL updates include CVE in rpm %changelog
if rpm -q --changelog "$glibc_nvr" | grep -q 'CVE-2015-0235'; then
echo "not vulnerable"
else
echo "vulnerable"
rv=1
fi
fi
done

if [ $rv -ne 0 ]; then
cat <<EOF

This system is vulnerable to CVE-2015-0235.
EOF
fi
exit $rv

# chmod +x ghost.sh

# ./ghost.sh

After running the above script, if the result is something like this :

Installed glibc version(s)
– glibc-2.5-123.el5_11.1.i686: not vulnerable
– glibc-2.5-123.el5_11.1.x86_64: not vulnerable

The server is free from GHOST vulnerablity, on the other hand, if the result is something like this :

Installed glibc version(s)
– glibc-2.5-118.el5_10.2.x86_64: vulnerable
– glibc-2.5-118.el5_10.2.i686: vulnerable

You will need to update glibc at the earliest ( most of the distro’s have pushed an update )

If you are on a CentOS/Redhat machine, run the following command

# yum update glibc*

Once the update is complete, reboot your server.

 

Submit a Comment