GHOST glibc Security Alert January 2015

Summary

Epicor¬†has been made aware of a critical vulnerability in the glibc library, which has been assigned CVE-2015-0235¬†and is commonly referred to as ‘GHOST’. All versions of glibc shipped with all variants of Red Hat Enterprise Linux are affected.

GHOST is a ‘buffer overflow’ bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application.

The gethostbyname() function calls are used for DNS resolving, which is a very common event. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution.

Checking Vulnerability

The easiest way to check for the vulnerability is to run the the Red Hat Access Lab’s “glibc (GHOST) Detector” script:

curl -s http://kb.eclipseinc.com/repo/GHOST-test.sh | bash

If the server is vulnerable, you will see output similar to:

Installed glibc version(s)
- glibc-2.5-42.i686: vulnerable
- glibc-2.5-42.x86_64: vulnerable

This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Please refer to <https://access.redhat.com/articles/1332213> for remediation steps

If the server is not vulnerable, you will see output similar to:

Installed glibc version(s)
- glibc-2.5-123.el5_11.1.x86_64: not vulnerable
- glibc-2.5-123.el5_11.1.i686: not vulnerable

Resolution

Update RHEL to patch the affected libraries:

yum -y update glibc nscd

Double-check that the patches have been applied by running the detection script again:

curl -s http://kb.eclipseinc.com/repo/GHOST-test.sh | bash

Reboot the server to finish applying the patches:

reboot

Troubleshooting

If you receive an error when attempting to run yum, it could be because your Red Hat subscription has expired. In this case, we’ve setup a package repository for you, which you can use by running the following commands:

curl -s -o /etc/yum.repos.d/eclipse.repo http://kb.eclipseinc.com/repo/eclipse.repo
yum -y update glibc nscd

If you receive an error similar to “Public key for glibc-headers-2.5-123.el5_11.1.x86_64.rpm is not installed”, then it means your Red Hat software is very much out of date, and you’ll need to first update some other packages:

curl -s -o /usr/share/rhn/RHNS-CA-CERT http://kb.eclipseinc.com/repo/RHNS-CA-CERT
curl -s -o /etc/yum.repos.d/eclipse.repo http://kb.eclipseinc.com/repo/eclipse.repo
yum --nogpgcheck -y update rhn*
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
yum -y update glibc nscd

Frequently Asked Questions

Q: I installed the patch, and now the script says my server is “not vulnerable”. Do I still need to reboot my server?
A: Yes.