Overview
The start to 2015 from a security perspective has given us a very timely reminder about the need to stay vigilant with security updates. As is the case for any system, having a stringent patch management plan in place is critical to ensure your system is kept secure.
The latest bug to be given a cool name is “Ghost”, which is a glibc buffer overflow vulnerability. This was discovered by the security analysis company, Qualys. The GNU C Library (glibc) is a low level C library used by all Linux based servers and is utilised by virtually every service which is programmed in C. The specific vulnerability affects DNS calls using the “gethostbyname” and “gethostbyaddr" function, which is where the Ghost name comes from.
As the vulnerability is a buffer overflow, it means that a potentially malicious call could allow remote code execution on your system. From our analysis of the proof of concept code as well as the explanation from Qualsys, code used to exploit a system would need to be specific to that application.
They’ve also provided further analysis and found that services like Apache, MySQL, Dovecot, Nginx are NOT vulnerable.
Affected Systems
This is the most commonly affected Linux distributions:
- RHEL 5 / 6/ 7
- CentOS 5 / 6 / 7
- Ubuntu 10.04 / 12.04
- Debian 6 / 7
Other Linux distributions or variants based on one of the above distributions may also be affected. We highly recommend you audit all your systems to determine if they’re vulnerable.
How to Fix
Fixing the vulnerability is a two step process. The first is to update the library itself. For example, if you’re running RHEL / CentOS, you’d need to call:
sudo yum clean all && sudo yum update glibc
For Debian / Ubuntu based systems, you’ll want to run:
sudo apt-get update && sudo apt-get dist-upgrade
You’ll then need to determine what services are using the glibc library. Here’s one quick command to list all programs which reference the old glibc library:
lsof | grep libc | grep "DEL|deleted" | awk '{print $1}' | sort | uniq
Of course, this doesn’t mean all of the services or applications are necessarily vulnerable, they would need to be calling the gethostby functions to be so. The safe bet is to simply reboot the server. This will ensure all services use the new version of the library.
Conetix Customers
Whenever a critical vulnerability like this arises, we immediately begin a full analysis of the issue to determine the likelihood of an exploit as well as the resulting consequence. Despite the limited amount of information during the initial security exploit notifications, we will always err on the side of caution to ensure the integrity of our platform.
As we maintain a Configuration Management system for all of our managed services, updating the library has already been completed for your Virtual Private Server and any of our infrastructure services. Systems with high availability have already been progressively rebooted to ensure services are utilising the new library. All other systems will be progressively rebooted over the next few days (during times of low activity) to ensure the systems are fully protected.