A very serious security problem has been found and patched in the GNU C Library called Glibc. It was announced on 27th January 2015.
What is the GHOST security bug?
From the RHEL bugzilla:
A heap-based buffer overflow was found in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call. A remote attacker could use this flaw to execute arbitary code with the permissions of the user running the application.
A mailing list entry with more details, including in-depth analysis and exploit vectors is here.
What C library (Glibc) version does my Linux system use?
The easiest way to check the version number is to run the following command:
ldd --version
Sample outputs from RHEL/CentOS Linux v6.6:
ldd (GNU libc) 2.12
Copyright (C) 2010 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
Sample outputs from Ubuntu Linux 12.04.5 LTS:
ldd (Ubuntu EGLIBC 2.15-0ubuntu10.9) 2.15
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
Sample outputs from Debian Linux v7.8:
ldd (Debian EGLIBC 2.13-38+deb7u6) 2.13
Copyright (C) 2011 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
A list of affected Linux distros
- RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x
- CentOS Linux version 5.x, 6.x & 7.x
- Ubuntu Linux version 10.04, 12.04 LTS
- Debian Linux version 7.x
- Linux Mint version 13.0
- Fedora Linux version 19 or older
- SUSE Linux Enterprise 11 and older (also OpenSuse Linux 11 or older versions).
- SUSE Linux Enterprise Software Development Kit 11 SP3
- SUSE Linux Enterprise Server 11 SP3 for VMware
- SUSE Linux Enterprise Server 11 SP3
- SUSE Linux Enterprise Server 11 SP2 LTSS
- SUSE Linux Enterprise Server 11 SP1 LTSS
- SUSE Linux Enterprise Server 10 SP4 LTSS
- SUSE Linux Enterprise Desktop 11 SP3
- Arch Linux glibc version <= 2.18-1
GHOST vulnerability check
You can test or reproduce the bug using the following C code:
/* ghosttest.c: GHOST vulnerability tester */ /* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */ #include <netdb.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> #define CANARY "in_the_coal_mine" struct { char buffer[1024]; char canary[sizeof(CANARY)]; } temp = { "buffer", CANARY }; int main(void) { struct hostent resbuf; struct hostent *result; int herrno; int retval; /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/ size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1; char name[sizeof(temp.buffer)]; memset(name, '0', len); name[len] = '\0'; retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno); if (strcmp(temp.canary, CANARY) != 0) { puts("vulnerable"); exit(EXIT_SUCCESS); } if (retval == ERANGE) { puts("not vulnerable"); exit(EXIT_SUCCESS); } puts("should not happen"); exit(EXIT_FAILURE); }
Compile and run it as follows:
$ gcc ghosttest.c -o ghosttest $ ./ghosttest
Sample outputs from patched Debian v7.8 server:
not vulnerable
Sample outputs from unpatched Ubuntu 12.04 LTS server:
vulnerable
How do list packages/applications depends upon vulnerable Glibc?
Type the following lsof command:
lsof | grep libc | awk '{print $1}' | sort | uniq
Sample outputs from my Debian Linux v7.x nas:
Fig.01: Linux find all the services/applications that rely on the GNU C libraries (Glibc) command
Fix the GHOST vulnerability on a CentOS/RHEL/Fedora/Scientific Linux
Type the following yum command as the root user:
sudo yum clean all sudo yum update
Finally, reboot RHEL/SL/Fedora/CentOS Linux server by typing the following command:
### Sysadmin should plan on updating as soon as possible or use maintenance reboot window ## sudo reboot
Sample outputs:
Fig.02 Fix the GHOST vulnerability on a CentOS/RHEL/Fedora/Scientific Linux
Fix the GHOST vulnerability on a Ubuntu Linux
Type the following apt-get command as the root user:
sudo apt-get clean sudo apt-get update sudo apt-get upgrade ## only run dist-upgrade on a Ubuntu if you want to upgrade kernel too ##sudo apt-get dist-upgrade
Finally, reboot Ubuntu Linux server by typing the following command:
sudo reboot
Sample outputs:
Fig.03: Fix the GHOST vulnerability on a Ubuntu Linux LTS
Fix the GHOST vulnerability on a Debian Linux
Type the following apt-get command as the root user:
sudo apt-get clean sudo apt-get update sudo apt-get upgrade ##No need to do dist-upgrade (see man page: man apt-get) ##sudo apt-get dist-upgrade
Finally, reboot Debian Linux server by typing the following command:
sudo reboot
Sample session:
Gif 01: Fix the GHOST vulnerability on a Debian Linux server
Fix the GHOST vulnerability on a SUSE Linux Enterprise
To install this SUSE Security Update use YaST online_update. Or use the following commands as per your version:
SUSE Linux Enterprise Software Development Kit 11 SP3
zypper in -t patch sdksp3-glibc-10206
SUSE Linux Enterprise Server 11 SP3 for VMware
zypper in -t patch slessp3-glibc-10206
SUSE Linux Enterprise Server 11 SP3
zypper in -t patch slessp3-glibc-10206
SUSE Linux Enterprise Server 11 SP2 LTSS
zypper in -t patch slessp2-glibc-10204
SUSE Linux Enterprise Server 11 SP1 LTSS
zypper in -t patch slessp1-glibc-10202
SUSE Linux Enterprise Desktop 11 SP3
zypper in -t patch sledsp3-glibc-10206
Finally run for all SUSE linux version to bring your system up-to-date:
zypper patch
Fix the GHOST vulnerability on a OpenSUSE Linux
To see a list of available updates including glibc on a OpenSUSE Linux, enter:
To simply update installed glibc packages with their newer available versions, run:
# zypper luTo simply update installed glibc packages with their newer available versions, run:
# zypper up
How can I verify that my Linux system no longer vulnerable after the reboot?
Method #1: The easiest way to check vulnerability and/or confirm remediation is to run the following command to verify that you are running an updated version of Glibc:
$ ldd --version
Method #2: Run the instructions given in the previous section called GHOST vulnerability check(generic method for all Linux based systems).
Method #3: If you are RHN subscriber see the Red Hat Access Lab: GHOST tool (only for RHEL/CentOS/SL systems - download link):
#!/bin/bash # rhel-GHOST-test.sh - GHOST vulnerability tester. Only for CentOS/RHEL based servers. # # Version 3 # Credit : Red Hat, Inc - https://access.redhat.com/labs/ghost/ # echo "Installed glibc version(s)" rv=0 for glibc_nvr in $( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do glibc_ver=$( echo "$glibc_nvr" | awk -F- '{ print $2 }' ) glibc_maj=$( echo "$glibc_ver" | awk -F. '{ print $1 }') glibc_min=$( echo "$glibc_ver" | awk -F. '{ print $2 }') echo -n "- $glibc_nvr: " if [ "$glibc_maj" -gt 2 -o \ \( "$glibc_maj" -eq 2 -a "$glibc_min" -ge 18 \) ]; then # fixed upstream version echo 'not vulnerable' else # all RHEL updates include CVE in rpm %changelog if rpm -q --changelog "$glibc_nvr" | grep -q 'CVE-2015-0235'; then echo "not vulnerable" else echo "vulnerable" rv=1 fi fi done if [ $rv -ne 0 ]; then cat <<EOF This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235> Please refer to <https://access.redhat.com/articles/1332213> for remediation steps EOF fi exit $rv
Sample outputs from patched RHEL v6.8 server:
bash rhel-GHOST-test.sh Installed glibc version(s) - glibc-2.12-1.149.el6_6.5.x86_64: not vulnerable - glibc-2.12-1.149.el6_6.5.i686: not vulnerable
0 comments:
Post a Comment