GHOST Vulnerability

GHOST –Another scary vulnerability that needs your attention!!

    On January 27th 2015 the GHOST vulnerability was revealed to the public and has been assigned CVE-2015-0235 (Common Vulnerabilities and Exposures).  The vulnerability is a buffer overflow bug in the glibc’s GetHost function. This is why it is called as the GHOST vulnerability.

What is glibc?

    It’s the implementation of “Standard C library” described in C standards. It includes macros, symbols, functions which are used by most of the programs on the system. There are several other implementations of the “Standard C library” but the glibc package is most widely used by all the Unix/Linux distributions.

Impact

    GHOST buffer overflow bug affects the gethostbyname () and gethostbyname2 () function calls in the glibc library. These functions are used to perform DNS resolution, which is a common and most frequently used task. The vulnerability allows the attacker to take complete control of the system, by making an application call to either of these functions to execute arbitrary code, with the permissions of the user running the application. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution.

Are you affected?

    Well, most of you are. All the Unix/Linux distributions that use GNU C library prior to glibc-2.18 are affected by this vulnerability. Check the version of your gblic by running the following command:
[root@test ~]# ldd --version
ldd (GNU libc) 2.12
Copyright (C) 2010 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
Test program that checks whether a system is vulnerable or not:
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#define CANARY "in_the_coal_mine"
struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };
int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;
  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';
  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
  if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
  }
  if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
  }
  puts("should not happen");
  exit(EXIT_FAILURE);
}
Save this program under name GHOST.c


Compile the program by using below command:
#[root@test ~]$ gcc GHOST.c -o GHOST

On glibc-2.17 – On executing the above code
#[user@...ora-19 ~]$ ./GHOST
Vulnerable

On glibc-2.18 – On executing the above code
#[user@...ora-20 ~]$ ./GHOST
Not vulnerable

Yes, I’m affected. What’s next?

    The easiest way to fix the GHOST vulnerability is to use your default package manager to update the version of glibc.

For example:
RHEL/Centos
#sudo yum update glibc

Ubuntu/Debian
#sudo apt-get upgrade glibc

NOTE: Ubuntu/Debian uses a variant of glibc called eglibc.
Now check the version of the glibc. It must be equal or later to glibc-2.18.

NOTE: Some distros may provide a patch for the older version. If you find the version number less than 2.18 even after the update, please use the above test program to find if you are vulnerable or not.
The below command will list all the binaries which uses the glibc libraries.
#lsof | grep libc | awk '{print $1}' | sort | uniq

It will return a bunch of binaries, restarting all the services is tedious task and hence a reboot is necessary since the GNU C Library is used by many applications.

About ViSolve

ViSolve is a consulting firm that provides Enterprise services like Cloud Deployment, Monitoring, Support and Security. More information about ViSolve can be found here. To know more about enhancing your data security, drop us an e-mail – services@visolve.com.

Healthcare IT Enterprise IT