The guys at Qualys discovered a very interesting buffer overflow in the __nss_hostname_digits_dots() function of glibc. The main problem is that you can take advantage of this remotely via the gethostbyname*() functions, which are used in many applications. They dubbed this “GHOST” (due to the GetHOST… name). The CVE assigned to this is: CVE-2015-0235.

Currently, all distributions of Linux are vulnerable.
This was apparently fixed between glibc-2.17 and glibc-2.18, but it was ignored in the long term “stable” releases.

Here is some code to check if you are vulnerable:

Here is a way to find every service using libc:

If you are vulnerable, updates have already been pushed out by the vendors.
For Ubuntu/Debian, you can: apt-get update && sudo apt-get install –only-upgrade libc6 -y
For Centos/RHEL, you can: “yum update glibc”

A great summary of the key things can be found here:
https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability

A very good technical writeup of the details can be found here:
http://www.openwall.com/lists/oss-security/2015/01/27/9

A few of the major linux distribution advisories:
RedHat: https://rhn.redhat.com/errata/RHSA-2015-0090.html
Ubuntu: https://launchpad.net/ubuntu/+source/eglibc
Debian: https://security-tracker.debian.org/tracker/CVE-2015-0235

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Navigation