The GHOST Vulnerability

January 28, 2015 6:57 pm

Heads up everybody – a Linux vulnerability known as GHOST (CVE-2015-0235), discovered by Qualys, has recently been publicized. This particular vulnerability is a nasty one, since it allows for remote code execution.

The vulnerability has been exhaustively documented in this Security Advisory, which you may find interesting. In short, the vulnerability exists within glibc in __ns_hostname_digits_dots(), which deals with hostname resolution via the gethostbyname() call.

Am I Vulnerable?

Yes, most likely. In order to address this, you’ll want to ensure that you have updated and rebooted your systems.

Debian and Ubuntu have updated packages for their supported distributions. Run apt-get update && apt-get dist-upgrade to bring your system up to date, and then reboot to ensure no references to the old libraries still exist.

For other popular distributions, please follow their equivalent steps for upgrading packages.  For more information, you can follow our GHOST guide.

Is Linode Infrastructure vulnerable?

No. Our Security Team has worked to protect our infrastructure from this vulnerability and we have taken the appropriate steps to address this issue on all of our systems.

9 Responses

  1. My server is running Ubuntu 12.04.1 do I need to upgrade in order for this to be fixed or will it be in the repo’s?

  2. You shouldn’t need to upgrade to a new version of Ubuntu, simply updating through your package manager, then rebooting, will suffice for addressing this issue.

  3. I run musl-libc so wasn’t vulnerable. You glibc plebs… poor sods.

  4. My linode is running on CentOS 6.4. I have updated the glibc package with yum manager but still the version showing is 2.12 after update. I run some script to check the whether the server is affected by ghost. the system showing is vulnerable.. how to fix ..let me know..

  5. A practical thing (hope it could be helpful for anyone). You don’t need to reboot the whole server after updating. If you are not able to do reboot — use this cmd which relaunchs only several applications that actually use vulnerable glibc:

    for s in $(lsof | grep libc | awk ‘{print $1}’ | sort | uniq); do if [[ -f “/etc/init.d/$s” && “$(ps aufx | grep -v grep | grep $s)” ]]; then echo $s; service $s restart; fi; done

    From: http://blog.wallarm.com/post/109402223343/ghost-a-brief-recap-of-what-you-need-to-know

  6. @Jonathan Leal – You don’t need to restart your server, typing execute ‘lsof | grep libc | awk ‘{print $1}’ | sort | uniq’ and it’s enough.

  7. Thanks for the quick response and posting about this, Linode. 🙂

  8. Here is a Spanish FAQ about GHOST vulnerability:

    http://www.sysadmit.com/2015/01/linux-vulnerabilidad-ghost.html

  9. The above lsof commands have a problem!!! They only return the first 9 characters of the command name.

    $ lsof | grep libc | grep redis
    redis-ser 3303….

    vs:

    lsof +c 0 | grep libc | grep redis
    redis-server 3303

    You may well miss services that need to be restarted without “+c 0”

Leave a Reply