CVE-2015-0235 Vulnerability (GHOST) glibc: __nss_hostname_digits_dots() heap-based buffer overflow

KH-Jonathan

CTO
Staff member
The GHOST Vulnerability

What do I need to do?

Nothing.
We have patched all of our VPS systems as of this morning shortly after the patch was available as well as restarted services which have been proven to be vulnerable. At this time it's mainly Exim. Dedicated servers are being patched automatically over the next ~24 hours.


What is it?

The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials.

Technical jargon:
A heap-based buffer overflow was found in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call. A remote attacker could use this flaw to execute arbitary code with the permissions of the user running the application.

What is the risk?
There is a remote code execution risk due to this vulnerability. An attacker who exploits this issue can gain complete control of the compromised system.

At this time only Exim mailserver has been proven to be really vulnerable.

Why is it called the GHOST vulnerability?
It is called as the GHOST vulnerability as it can be triggered by the GetHOST functions.

References:
Qualys Advisory: https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
RedHat: https://rhn.redhat.com/errata/RHSA-2015-0090.html
Ubuntu: https://launchpad.net/ubuntu/+source/eglibc
Debian: https://security-tracker.debian.org/tracker/CVE-2015-0235
GNU C Library: http://www.gnu.org/software/libc/
Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
Discussion about vulnerable services: http://seclists.org/oss-sec/2015/q1/283
 
It's also worth noting that LFD will complain about the following binaries not matching md5sums:

Code:
/usr/bin/gencat: FAILED
/usr/bin/getconf: FAILED
/usr/bin/getent: FAILED
/usr/bin/iconv: FAILED
/usr/bin/lddlibc4: FAILED
/usr/bin/locale: FAILED
/usr/bin/localedef: FAILED
/usr/bin/rpcgen: FAILED
/usr/bin/sprof: FAILED
/usr/sbin/build-locale-archive: FAILED
/usr/sbin/glibc_post_upgrade.i686: FAILED
/usr/sbin/iconvconfig: FAILED
/usr/sbin/iconvconfig.i686: FAILED
/usr/sbin/nscd: FAILED
/usr/sbin/rpcinfo: FAILED
/usr/sbin/tzdata-update: FAILED
/usr/sbin/zdump: FAILED
/usr/sbin/zic: FAILED
/sbin/ldconfig: FAILED
/sbin/sln: FAILED
/etc/init.d/nscd: FAILED

This can be disregarded.
 
You guys are seriously amazing! I can't believe you've already patched this. I have servers at much larger hosting companies that haven't even published any information about it yet, much less patched it on their VPS's. Major kudos to you for resolving this so quickly. Impressive.
 
Yep, good job there! I was about to send an email and thought, "hm, check the forum first if they might have posted something about it already."

Keep it up!
 
Top