Skip to main content

GHOST Bug-CVE-2015-0235


We are living in world, where we heard lots of  ransom ware being asked by digital thief by doing attack on organization who are weak at securing their Important sites ,specially e-commerce sites which are beard earner for them :) 

Digital thief's take advantages of loopholes on such website and keep their bug on the server on which these sites are hosted or being run.

Where on other hand , Good guys spending their day and night to look for the loopholes if any OS/application is having and making awareness among people so that they cannot be victim of digital crime.

Talking about bugs, recently we come across a bug called as GHOST which is identified by some Good guys. And as said in the Link , these bug is present on Linux flavor servers having glibc and nscd packages installed on the Linux server. This bug is given a CVE number as CVE-2015-0235 (to provide a common name for publicly available cyber threats) 

  • But its really matter to bother about this bug, why i have to care about this bug
The vulnerability is a buffer overflow in the gethostbyname() and gethostbyname2() functions of glibc, potentially resulting in arbitrary code execution. If any attacker got successful to exploit these vulnerability on your server by any MItM attack, they he can do harm to your server and bring business loss for you.


  • But why these bug got his name as GHOST that is the first question coming in my mind
    There is function on Linux OS called as gethostbyname(), and this function is having a loophole in his coding using which a attacker can do his tricks on remote server for which he have access.                                              
    So, its actually G-Host but pronounced as GHOST

    • Next question comes in my mind is which Linux version are affected by this bug
    So as per my study below are the list of OS which are affected by this bug.

       Debian 7 (wheezy)
       Red Hat Enterprise Linux 5, 6 & 7
       CentOS 6 & 7
       Ubuntu 12.04



    • Next question comes in my mind is , OK i know the OS version, but how i know my server is actually affected by this bug, how to check which glibc or nscd version packages are installed on server (I know as Non-Technical person, these question does not comes to everyone mind, you just want to get rid of this bullshit :D,which is understood)      
    On initial Investigation from my end, I have found below data, If the version of glibc matches, or is more recent than the ones listed here, system are safe from the GHOST vulnerability:

       CentOS 6: glibc-2.12-1.149.el6_6.5
       CentOS 7: glibc-2.17-55.el7_0.5
       RHEL 5: glibc-2.5-123.el5_11.1
       RHEL 6: glibc-2.12-1.149.el6_6.5
       RHEL 7: glibc-2.17-55.el7_0.5

                       
    • What is the resolution to fix this.
    Update glibc to the latest versions and after that you need to reboot your server or simply need to restart the services which are using the glibc and nscd binaries on server. You can check which services on the server are using glibc and nscd binaries by running below command

    # lsof +c0 -d DEL | awk 'NR==1 || /libc-/ {print $2,$1,$4,$NF}' | column -t



      Its Up to you if you can afford the major downtime or minimal downtime, either by rebooting the server or by just restarting the services using glibc binaries
      .




      GHOST Bug



      •  How to check vulnerability after applying fix. 
      # wget -OGHOST.c https://gist.githubusercontent.com/koelling/ef9b2b9d0be6d6dbab63/raw/de1730049198c64eaf8f8ab015a3c8b23b63fd34/gistfile1.c
      # gcc -o GHOST GHOST.c
      #./GHOST



      • If the target is vulnerable, you will see output similar to:
      Installed glibc version(s)
      - glibc-2.12-1.149.el6.x86_64: vulnerable
      - glibc-2.12-1.149.el6.i686: vulnerable
      This system is vulnerable to CVE-2015-0235

      That`s all for now folks :) , keep your servers safe. if you don`t want to spent time on above  steps, you can reach to me for further assistance


      ====================================X============X=================================================

      Contact support@linuxforeveryone for any Freelancing work on Linux Servers

      Subscribe my YouTube Channel 

      Like My Facebook Page 

      Browse the Best in class Web Hosting Plans

      Comments

      1. Nice article .... Interesting Topic

        ReplyDelete

      2. I have been browsing online more than 3 hours today, yet I never found any interesting article like yours. It is pretty worth enough for me. Personally, if all webmasters and bloggers made good content as you did, the web will be much more useful than ever before. gmail login

        ReplyDelete
      3. thanks for the motivational words Oskar! glad you liked it and you spent your time writing about this page. thanks again :)

        ReplyDelete

      Post a Comment

      Popular posts from this blog

      Solution and Step to fix CVE-2019-5736 Vulnerability - Docker

      Recently a new vulnerability has been discovered in the the internet market having target to Docker services. What is this Vulnerability: In short, Docker service uses another service called as runc which is container run time to spawn and run containers. which simply means if docker task is to create docker images then runc task would be running them and attaching a process to container. So as per the recent discovery by the maintainers of runc, the code of this service was having some bug which can be used by attackers to gain the root level of access of the host machine on which docker containers are running. How it can be Exploited: This vulnerability can be exploited in two ways (1) if the docker images are in use is vulnerable making the containers build from it vulnerable also (2) if somehow attacker got the access of containers and then trying to exploit using the bug present in runc and trying to get root privileges. Solution to Fix Vulnerability: Ce

      How to Generate CSR using Openssl in Linux

      Before Generating CSR ,let see what is Openssl. It is nothing but a core library ,which is used for general purpose in cryptography,it is an open source product which work towards the implementation of SSL and TLS protocols. Talking about openssl, some people called the certificates generated from openssl as "self signed certificate". lets go towards now,creating CSR and private key using openssl command, Just log in to any of your Linux box and run following command as  root user  replacing the required information as per your need . [root@SVR home]#   openssl req -new -newkey  rsa:2048 -nodes -sha256 -out domain_name.csr -keyout domain_name.key -subj "/C=US/ST=state/L=locality/O=organization/OU=organization unit Dept/CN=www.domain.com"  You will get output like : Then check whether ,all the information we have entered ,while creating CSR is proper ,by decoding the CSR from some online tool. First do the cat to the csr file [root@SVR home]#  cat

      Multiple instances of redis

      In the last post I have covered how to install redis server on Centos/Rhel using rpm method and yum method and some troubleshooting skills. In this post i am going to cover how to install and configure redis to run with multiple ports.                                                                           But why we need more ports ? If you have read my earlier post , you already know that by default redis runs on single port 6379, which any one can use it for small website to cache the data. But for heavy website like magento we need to use additional ports along with 6379 to serve different cache from different ports. Like in Magento there is simple cache which is normally stored under /var/cache directory. Then there is Full Page Cache which is stored under /var/full_page_cache and session cache which is stored under /var/session_cache. Note : Discussion about cache/full page cache/session is not under the scope for this document.