<img height="1" width="1" src="https://www.facebook.com/tr?id=1953097804934218&amp;ev=PageView &amp;noscript=1">

Blog

GHOST Vulnerability Update

The recently announced Glibc GHOST vulnerability (CVE-2015-0235) has been top of conversation and action since it was announced on Tuesday, January 27, 2015.

Following is a detailed update about our work to address this issue.

ServerCentral administrators are currently working to patch all affected systems against the GHOST vulnerability. We are also working with appliance vendors to apply any needed patches.

We will directly contact any affected managed service customers to schedule the patch and subsequent device reboot.

GHOST Vulnerability Check

We strongly encourage all customers to check your version of Glibc, determine if it is vulnerable, and patch & reboot as needed. The easiest way to check if your version of Glibc is by using the following C code:

<strong>Code block</strong>
/* ghosttest.c: GHOST vulnerability tester */
/* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */
#include &lt;netdb.h&gt;
#include &lt;stdio.h&gt;
#include &lt;stdlib.h&gt;
#include &lt;string.h&gt;
#include &lt;errno.h&gt;

#define CANARY "in_the_coal_mine"

struct {
 char buffer[1024];
 char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };

int main(void) {
 struct hostent resbuf;
 struct hostent *result;
 int herrno;
 int retval;

 /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
 size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
 char name[sizeof(temp.buffer)];
 memset(name, '0', len);
 name[len] = '\0';

 retval = gethostbyname_r(name, &amp;resbuf, temp.buffer, sizeof(temp.buffer), &amp;result, &amp;herrno);

 if (strcmp(temp.canary, CANARY) != 0) {
 puts("vulnerable");
 exit(EXIT_SUCCESS);
 }
 if (retval == ERANGE) {
 puts("not vulnerable");
 exit(EXIT_SUCCESS);
 }
 puts("should not happen");
 exit(EXIT_FAILURE);
}

Save this C code to a file called ghosttest.c.

Compile and run it as follows:

$ gcc ghosttest.c -o ghosttest
$ ./ghosttest

Sample output from patched Debian v7.8 server:

not vulnerable

Sample output from unpatched Ubuntu 12.04 LTS server:

vulnerable

How do I list packages/applications that depend upon vulnerable Glibc?

Type the following lsof command:

lsof | grep libc | awk '{print $1}' | sort | uniq

This will produce a list of all packages/applications that use Glibc and will be potentially affected by the vulnerability until Glibc is patched.

We encourage all of our customers to perform additional reviews of their internal and external services and confirm they are secure against this vulnerability.

For more information about the GHOST vulnerability, please visit:
http://www.openwall.com/lists/oss-security/2015/01/27/9
http://www.cyberciti.biz/faq/cve-2015-0235-patch-ghost-on-debian-ubuntu-fedora-centos-rhel-linux/

If you have any questions, or if we can be of assistance, please do not hesitate to contact us at your convenience. The best way to do so, regarding this issue, is by dropping a ticket.

Topics: Security