Linux ghost

How To Patch Linux Servers Against the Glibc GHOST Vulnerability # CVE-2015-0235

What is the vulnerability?

During a code audit Qualys researchers discovered a heap-based buffer overflow in Glibc’s __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() Glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.

Impact

The gethostbyname() function calls are used for DNS resolving, which is a very common event. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution.

Why is it called the GHOST vulnerability?

It is called as the GHOST vulnerability as it can be triggered by the GetHOST functions.

Is the risk real?

During the testing, Qualys team developed a proof-of-concept in which they send a specially created e-mail to an Exim mail server and can get a remote shell to the Linux machine. This bypasses all existing protections (like ASLR, PIE and NX) on both 32-bit and 64-bit systems. The exploit is not publicly available at this time.
The first vulnerable version of the GNU C Library is glibc-2.2, released on November 10, 2000. There are number of factors that mitigate the impact of this bug. In particular, it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example.

What can be done to mitigate the risk?

Major Linux distribution vendors already released bug fix packages.

Fix the GHOST vulnerability on a CentOS/RHEL/Fedora/Scientific Linux

Type the following yum command as the root user:

Fix the GHOST vulnerability on Debian / Ubuntu

 Fix the GHOST vulnerability on SUSE

References:

http://www.openwall.com/lists/oss-security/2015/01/27/9

https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability

https://rhn.redhat.com/errata/RHSA-2015-0090.html

https://launchpad.net/ubuntu/+source/eglibc

https://security-tracker.debian.org/tracker/CVE-2015-0235

https://oss.oracle.com/pipermail/el-errata/2015-January/004810.html

http://lists.centos.org/pipermail/centos-announce/2015-January/020906.html

http://lists.opensuse.org/opensuse-updates/2015-01/msg00085.html

http://www.gnu.org/software/libc/

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235