How To Protect Your Server From The GHOST Vulnerability

  • 3:34 am
back to all

ghost-vulnerability-1
Want to know more about GHOST Vulnerability? It is listed as a Critical issue and is officially known as CVE-2015-0235. It is a vulnerability located in the glibc library of most Linux systems and takes advantage of a condition called a “buffer overflow” and can allow a remote attacker to gain complete control of a system. Any system running a version of glibc older than 2.18 is likely to be susceptible to an attack in this manner.

How to Check Your Server

Red Hat Enterprise Linux & CentOS
You can use rpm (the Red Hat Package Manager) to check the glibc version:
[root@box ~]# rpm -q glibc
The command will give an output similar to this:
glibc-2.5-123.el5_11.1
Note the version information, highlighted in red in the above example. If this version matches, or is more recent than the versions listed below, you are safe from the GHOST vulnerability:
- CentOS 6: glibc-2.12-1.149.el6_6.5
- CentOS 7: glibc-2.17-55.el7_0.5
- RHEL 5: glibc-2.5-123.el5_11.1
- RHEL 6: glibc-2.12-1.149.el6_6.5
- RHEL 7: glibc-2.17-55.el7_0.5

Any version older than these is vulnerable to GHOST and should be patched as soon as possible.

Debian & Ubuntu

The ldd command, used to check for dynamic dependencies, can be used to see the version of glibc on Debian-based systems, including Ubuntu:
debianbox:~# ldd -version
The output will look similar to this:
ldd (Debian EGLIBC 2.11.3-4) 2.11.3
Copyright (C) 2009 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

Note the version information, highlighted in red in the example. If this version matches, or is more recent than the versions listed below, the system is not vulnerable to GHOST:

– Ubuntu 12.04 LTS: 2.15-0ubuntu10.10
– Ubuntu 10.04 LTS: 2.11.1-0ubuntu7.20
– Debian 7 LTS: 2.13-38+deb7u7

Any versions older than these are vulnerable and should be patched as soon as possible.

How to Fix the Vulnerability

The simple way to fix the GHOST vulnerability, is to use the default package manager for your distribution to update the glibc version. Below, we will offer sample processes for a Red Hat/CentOS based environment, and for a Debian/Ubuntu based environment.

RHEL & CentOS
The default package manager for Red Hat Enterprise Linux, CentOS, and related distributions is yum:
[root@box ~]# sudo yum update glibc
When the system prompts you for confirmation, respond with ‘y’.

Once the system is done updating, you will need to reboot it. This is necessary because glibc is used by many applications, and those applications must be restarted to use the new library version. Theoretically, you could manually restart each application, but if you miss one, you will leave your system vulnerable to attack. You can reboot your system with either of the following commands:
[root@box ~]#sudo reboot
or
[root@box ~]#sudo shutdown -r now
Once your system has restarted, make sure the vulnerability has been patched by using the instructions from the earlier section.

Debian & Ubuntu

The default package manager for Debian, Ubuntu, and related distributions is apt. For currently supported versions of Debian and Ubuntu, update all of your packages to the latest version available. In most situations, we recommend doing a ‘dist-upgrade’, however, in some cases this may cause issues with certain packages, as the dist-upgrade command can add and remove packages in addition to upgrading them. If you are concerned that this is the case on your system, you can use ‘upgrade’ as an alternative, though make extra sure to check your system for the vulnerability afterwards if you do this.
debianbox:~# sudo apt-get update && sudo apt-get dist-upgrade
or
debianbox:~# sudo apt-get update && sudo apt-get upgrade
In either case, then respond to the confirmation prompt with ‘y’.

Once the system is done updating, you will need to reboot it. This is necessary because glibc is used by many applications, and those applications must be restarted to use the new library version. Theoretically, you could manually restart each application, but if you miss one, you will leave your system vulnerable to attack. You can reboot your system with either of the following commands:
debianbox:~# sudo reboot
or
debianbox:~# sudo shutdown -r now
Once your system has restarted, make sure the vulnerability has been patched by using the instructions from the earlier section.

For more information about the GHOST vulnerability, please see this link from the United States Computer Emergency Readiness Team (US-CERT):
https://www.us-cert.gov/ncas/current-activity/2015/01/27/Linux-Ghost-Remote-Code-Execution-Vulnerability

Scroll to Top