Loading...

Description

A remote code execution vulnerability in the glibc library has been disclosed [1]. The vulnerability, numbered CVE-2015-0235 [2] and nicknamed "GHOST", can allow a local or remote attacker to execute code within the context of an application linked with a vulnerable version of the glibc library. This is triggered by a buffer overflow in the gethostbyname() function, which is called when resolving a hostname to an IP. Not all services that leverage vulnerable versions of the glibc library and make calls to the gethostbyname() function are vulnerable; nonetheless, a proof of concept demonstrating "real-world" exploitation has been published and more are slated for release.

This vulnerability has been in production glibc versions since November 2000, and was patched in source code since May 2013 [3]. However, many mainstream Linux distributions remain vulnerable, including RHEL 5 through 7 [3, 4]. The affected versions of glibc are as follows:

  • glibc 2.2 through 2.17 (inclusive) are vulnerable
  • glibc 2.18 through 2.20 (inclusive) are NOT vulnerable
  • prior versions of glibc (<= 2.1.3) are NOT vulnerable

The list of affected popular distributions can be found in reference 3.

Immediate patches are needed to fix this vulnerability due to the risk it presents. It is necessary to restart computers or processes following patching. Please note that the Information Security Office (ISO) is at this time unable to scan for vulnerable versions of glibc so it is up to system administrators to ensure this vulnerability has been remediated. At the time ISO develops a means of accurately scanning for vulnerable systems without credentials, we will begin notifications and quarantine scheduling.


References and footnotes:
[1] https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
[2] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
[3] http://chargen.matasano.com/chargen/2015/1/27/vulnerability-overview-ghost-cve-2015-0235.html
[4] The RHNS console can be used to determine whether systems remain vulnerable and may be useful for as you patch multiple systems.
[5] http://blog.sucuri.net/2015/01/critical-ghost-vulnerability-released.html

Selfscan Template

A template for scanning for the GHOST vulnerability is available in Selfscan. It's named "CVE-2015-0235: GHOST scan" and is available to be used on any site in the Selfscan service.

ITS notes on Red Hat Enterprise Linux (RHEL)

From ITS:

For users of the Campus Red Hat Network Satellite, the errata for RHEL 5,
RHEL 6, and RHEL 7 are available via that service.

Per Red Hat: 

"Before applying this update, make sure all previously released errata
relevant to your system have been applied."

A reboot is required after application of the update.

References:
[1] Red Hat article: https://access.redhat.com/articles/1332213
[2] RHEL 5 errata description:
https://rhn.redhat.com/errata/RHSA-2015-0090.html
[3] RHEL 6/7 errata description:
https://rhn.redhat.com/errata/RHSA-2015-0092.html