Ghost – Glibc Vulnerability 2015

ghost - glibc vulnerability 2015

Overview

The start to 2015 from a security perspective has given us a very timely reminder about the need to stay vigilant with security updates. As is the case for any system, having a stringent patch management plan in place is critical to ensure your system is kept secure.

The latest bug to be given a cool name is “Ghost”, which is a glibc buffer overflow vulnerability. This was discovered by the security analysis company, Qualys. The GNU C Library (glibc) is a low level C library used by all Linux based servers and is utilised by virtually every service which is programmed in C. The specific vulnerability affects DNS calls using the “gethostbyname” and “gethostbyaddr" function, which is where the Ghost name comes from.

As the vulnerability is a buffer overflow, it means that a potentially malicious call could allow remote code execution on your system. From our analysis of the proof of concept code as well as the explanation from Qualsys, code used to exploit a system would need to be specific to that application.

They’ve also provided further analysis and found that services like Apache, MySQL, Dovecot, Nginx are NOT vulnerable.

Affected Systems

This is the most commonly affected Linux distributions:

  • RHEL 5 / 6/ 7
  • CentOS 5 / 6 / 7
  • Ubuntu 10.04 / 12.04
  • Debian 6 / 7

Other Linux distributions or variants based on one of the above distributions may also be affected. We highly recommend you audit all your systems to determine if they’re vulnerable.

How to Fix

Fixing the vulnerability is a two step process. The first is to update the library itself. For example, if you’re running RHEL / CentOS, you’d need to call:

sudo yum clean all && sudo yum update glibc

For Debian / Ubuntu based systems, you’ll want to run:

sudo apt-get update && sudo apt-get dist-upgrade

You’ll then need to determine what services are using the glibc library. Here’s one quick command to list all programs which reference the old glibc library:

lsof | grep libc | grep "DEL|deleted" | awk '{print $1}' | sort | uniq

Of course, this doesn’t mean all of the services or applications are necessarily vulnerable, they would need to be calling the gethostby functions to be so. The safe bet is to simply reboot the server. This will ensure all services use the new version of the library.

Conetix Customers

Whenever a critical vulnerability like this arises, we immediately begin a full analysis of the issue to determine the likelihood of an exploit as well as the resulting consequence. Despite the limited amount of information during the initial security exploit notifications, we will always err on the side of caution to ensure the integrity of our platform.

As we maintain a Configuration Management system for all of our managed services, updating the library has already been completed for your Virtual Private Server and any of our infrastructure services. Systems with high availability have already been progressively rebooted to ensure services are utilising the new library. All other systems will be progressively rebooted over the next  few days (during times of low activity) to ensure the systems are fully protected.

Further Reading

Back to the Blog

avatar of tim butler

Tim Butler

With over 20 years experience in IT, I have worked with systems scaling to tens of thousands of simultaneous users. My current role involves providing highly available, high performance web and infrastructure solutions for small businesses through to government departments. NGINX Cookbook author.

  • Conetix
  • Conetix

Let's Get Started

  • This field is for validation purposes and should be left unchanged.