Ghost Vulnerability Affecting Linux

28 January 2015 | by Natalie Fayle

You may have heard about a highly critical vulnerability called Ghost or Ghostbug (CVE-2015-0235) affecting most Linux distributions.

This vulnerability is present in the glibc (or eglibc) software on nearly every Linux server currently deployed, and affects versions originally released from 2000-2013. This means that the bug is present in nearly every deployed Linux server, estimates are currently said to be at ~90%.

If properly executed, this attack can lead to remote command execution and privilege escalation with relative trivial ease. We fully recommend that updates and reboots are carried out ASAP.

You can read more about it at the following URLS:

https://access.redhat.com/security/cve/CVE-2015-0235
http://arstechnica.com/security/2015/01/highly-critical-ghost-allowing-code-execution-affects-most-linux-systems/
https://news.ycombinator.com/item?id=8953545
http://ma.ttias.be/critical-glibc-update-cve-2015-0235-gethostbyname-calls/

Managed Server Customers

Of course we’ll be taking care of this on behalf of our managed customers. We will be calling all managed server customers today and tomorrow to arrange updates and reboots for all managed services.

If you don't wish to wait for this to happen, and are happy to update and reboot your own services using the below instructions, please do so and inform our support team when successful. At this point we'll remove you and your services from our update schedule.

If you decide that you need to reboot out of hours it’s not a problem but please be aware that there is always the risk that machines will not come back up properly and there is less resource available overnight to deal with such issues.

Unmanaged Server Customers

As usual you’ll need to patch this yourself, here are some instructions on what you need to do… 

Checking for the vulnerability

To check to see if your Linux server is vulnerable to CVE-2015-0235, please download (and check!) the following source code, compile it and run using the below commands:

 $ wget https://gist.githubusercontent.com/chrisfu/2bbb99c4261b5337215b/raw/de1730049198c64eaf8f8ab015a3c8b23b63fd34/gistfile1.c
$ gcc gistfile1.c -o ghost-check
$ ./ghost-check

If you see "not vulnerable", you don't need to take any further action. However if you see the result "vulnerable", you need to upgrade the affected packages and (preferably) reboot or restart all of the affected system services.

Patching the vulnerability

If you're using:

Debian Squeeze (6.0) or newer,
Ubuntu Lucid LTS (10.04) or newer,
CentOS 5.0 or newer,
or RHEL 5.0 or newer, you can upgrade and reboot/restart with the below commands.

If you're using:

Debian Lenny (5.0) or lower,
Ubuntu Hardy LTS (8.04) or lower,
CentOS 4.0 or lower,
or RHEL 4.0 or lower, please upgrade your operating system or contact support if that server is a managed server.

If you're using:

Ubuntu Trusty LTS (14.04) or newer, you don't need to take any further action.

Debian/Ubuntu

### To upgrade
$ sudo apt-get clean && sudo apt-get update && sudo apt-get -y install libc6 libc-bin libc6-dev libc-dev-bin
### To reboot (recommended for maximum security)
$ sudo reboot
### To restart affected system services without a reboot, do the following as the root user
$ sudo apt-get -y install lsof
# servicelist=""; for problemservice in `lsof 2> /dev/null | grep libc | awk '{print $1}' | sort | uniq`; do for service in `ls /etc/init.d/* | awk -F "/etc/init.d/" '{print $2}'`; do if [ "$problemservice" == "$service" ]; then if [ -n "`service $problemservice status | grep running`" ]; then servicelist+=" $problemservice"; else echo "$problemservice found but service is not running"; fi; fi; done; done; count=`tr -dc ' ' <<<"$servicelist" | wc -c`; servicelist=`echo $servicelist | xargs`; echo -n "$count services have to be restarted ($servicelist): continue (y/N)? "; read continue; if [ $continue == "y" ]; then for service in $servicelist; do /etc/init.d/$service restart; done; else echo "Leaving without restarting services"; fi

RHEL/CentOS

### To upgrade
$ sudo yum clean all && sudo yum -y update glibc glibc-common
### To reboot (recommended for maximum security)
$ sudo reboot
### To restart affected system services without a reboot, do the following as the root user
$ yum -y install lsof
# servicelist=""; for problemservice in `lsof 2> /dev/null | grep libc | awk '{print $1}' | sort | uniq`; do for service in `ls /etc/init.d/* | awk -F "/etc/init.d/" '{print $2}'`; do if [ "$problemservice" == "$service" ]; then if [ -n "`service $problemservice status | grep running`" ]; then servicelist+=" $problemservice"; else echo "$problemservice found but service is not running"; fi; fi; done; done; count=`tr -dc ' ' <<<"$servicelist" | wc -c`; servicelist=`echo $servicelist | xargs`; echo -n "$count services have to be restarted ($servicelist): continue (y/N)? "; read continue; if [ $continue == "y" ]; then for service in $servicelist; do /etc/init.d/$service restart; done; else echo "Leaving without restarting services"; fi

All Customers

As you’ll appreciate we’re really busy trying to upgrade all of our servers so we’d be forever grateful if customers could avoid raising any non-critical issues today. We’ll let you know when we have more resource available. Thanks in advance!

Further updates available on Twitter @melbournehost

Like what you've read?