Check and Patch GHOST Vulnerability CVE-2015-0235 in Linux

Ghost vulnerability is haunting out secure linux system these days. we linux user speaks with huge proud that linux never get infected with viruses and worms but instead we have some vulnerabilities in our system that can be exploited to cause some serious damage if not stopped earlier.

All the system no matter if its a Desktop or Server are at risk due to this new vulnerability.

A buffer overflow vulnerability has been discovered that can allow an attacker to remotely execute code on a Linux computer. It was found in the GNU C Library (glibc)__nss_hostname_digits_dots() function, which is accessible from gethostbyname*() functions. The function can overflow sizeof(*char) bytes 4 or 8 for 32-bit or 64-bit architectures, respectively. -cyberoam.com

 A list of affected Linux distros:-

• RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x
• CentOS Linux version 5.x, 6.x & 7.x
• Ubuntu Linux version 10.04, 12.04 LTS
• Debian Linux version 7.x
• Linux Mint version 13.0
• Fedora Linux version 19 or older
• SUSE Linux Enterprise 11 and older (also OpenSuse Linux 11 or older versions).
• SUSE Linux Enterprise Software Development Kit 11 SP3
• SUSE Linux Enterprise Server 11 SP1 LTSS/ SP2 LTSS/SP3/SP3 for VMware
• SUSE Linux Enterprise Server 10 SP4 LTSS
• SUSE Linux Enterprise Desktop 11 SP3
• Arch Linux glibc version <= 2.18-1  

Well this vulnerability is caused by a simple buffer overflow in glib library of linux system





You can test or reproduce the bug using the following C code:

/* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#define CANARY "in_the_coal_mine"

struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };

int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;

  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';

  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

  if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
  }
  if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
  }
  puts("should not happen");
  exit(EXIT_FAILURE);
}

Compile and run it as follows:

       $ gcc ghosttest.c -o ghosttest

       $ ./ghosttest

all the distro running on ubuntu 12.04 LTS were found vulnerable

all the Debain server v7.8 are not vulnearble to this bug.

his bug doesn't exists on every single system out there instead it only affects the linux system which uses this glib c library short for GNU C library.

other system like Windows, OS X, iOS and Android does not use this glib library in there os modules hence they are safe.

The bad news is that many, if not most, computers running Linux do use glibc, and may be at risk.

How to fix the GHOST vulnerability on a CentOS/RHEL/Fedora/Scientific Linux

type following command in terminal to update the glib to latest version and thats all

sudo yum clean all

sudo yum update

the reboot the system by 

sudo reboot

Fix the GHOST vulnerability on a Ubuntu Linux/Debian Linux

sudo apt-get clean

sudo apt-get update

Fix the GHOST vulnerability on a SUSE Linux Enterprise

To install this SUSE Security Update use YaST online_update. Or use the following commands as per respective version of distros:

SUSE Linux Enterprise Software Development Kit 11 SP3

zypper in -t patch sdksp3-glibc-10206

SUSE Linux Enterprise Server 11 SP3 for VMware

zypper in -t patch slessp3-glibc-10206

SUSE Linux Enterprise Server 11 SP3

zypper in -t patch slessp3-glibc-10206

SUSE Linux Enterprise Server 11 SP2 LTSS

zypper in -t patch slessp2-glibc-10204

SUSE Linux Enterprise Server 11 SP1 LTSS

zypper in -t patch slessp1-glibc-10202

SUSE Linux Enterprise Desktop 11 SP3

zypper in -t patch sledsp3-glibc-10206

Finally run for all SUSE linux version to bring your system up-to-date:

zypper patch

Fix the GHOST vulnerability on a OpenSUSE Linux

To see a list of available updates including glibc on a OpenSUSE Linux, enter:

# zypper lu

To simply update installed glibc packages with their newer available versions, run:

# zypper up

Best way to check the bug in your system is to check the glib version your distro is running at that time type foolowing command to know that.

$ ldd --version

then run the program given above get the final check and update the glib to latest versoin to patch it.