GHOST: A brief recap of what you need to know about it


Is GHOST dangerous?

Yes, it is. GHOST is a high severity vulnerability (CVE-2015–0235) that allows attackers to implement remote code execution (RCE) attack taking complete control of the victim system. It exploits a buffer overflow bug in glibc’s GetHOST functions (hence the name).

Fortunately, Linux vendors already have necessary updates available as Qualys company was in touch with them before disclosing vulnerability.

How to check if my systems is vulnerable?

Linux systems that use versions of the GNU C Library prior to glibc-2.18 are vulnerable to GHOST. Among them most stable and long-term-support distributions including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04.

You can check glibc version with the help of ldd utility which uses glibc:

CentOS & RHEL

ldd --version

Ubuntu & Debian

ldd --version

Glibc version will be contained in the first line of output.

ldd (GNU libc) **2.17**
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.

If the version of glibc is older than 2.18, your system is vulnerable to GHOST.

How to fix vulnerability?

All you need is to install update provided by your Linux vendor. Feel free to use your default package manager since it is the most easy way to get necessary things done.

CentOS & RHEL

sudo yum update glibc

Ubuntu & Debian

sudo apt-get update && sudo apt-get dist-upgrade

To make updates take affect you need have to relaunch all applications that use GNU C Library. It could be a tough task, so reboot the whole server if you can so.

Otherwise, use this trick to check which applications actually need to be restarted and relaunch only them:

lsof | grep libc | awk '{print $1}' | sort | uniq

And the following command script does the whole job for you:

for s in $(lsof | grep libc | awk '{print $1}' | sort | uniq); do if [[ -f "/etc/init.d/$s" && "$(ps aufx | grep -v grep | grep $s)" ]]; then echo $s; service $s restart; fi; done

Does Wallarm protect against GHOST?

Web application firewalls (WAF) working on application layer is not a proper tool to mitigate attacks exploiting this kind of vulnerabilities. But as GHOST, for sure, could effect web infrastructure security, we need to be sure that our customers have updated their systems. Just patch immediately!

If you have any questions about this bug, please let us know.

Leave a Reply

Show Buttons
Hide Buttons