Skip to main content

GHOST Bug-CVE-2015-0235

By Er.Susheel

We are living in world, where we heard lots of  ransom ware being asked by digital thief by doing attack on organization who are weak at securing their Important sites ,specially e-commerce sites which are beard earner for them :) 

 Digital thief's take advantages of loopholes on such website and keep their bug on the server on which these sites are hosted or being run.

 Where on other hand , Good guys spending their day and night to look for the loopholes if any OS/application is having and making awareness among people so that they cannot be victim of digital crime.
Talking about bugs, recently we come across a bug called as GHOST which is identified by some Good guys. And as said in the Link , these bug is present on Linux flavor servers having glibc and nscd packages installed on the Linux server. This bug is given a CVE number as CVE-2015-0235 (to provide a common name for publicly available cyber threats) 
  • But its really matter to bother about this bug, why i have to care about this bug
The vulnerability is a buffer overflow in the gethostbyname() and gethostbyname2() functions of glibc, potentially resulting in arbitrary code execution. If any attacker got successful to exploit these vulnerability on your server by any MItM attack, they he can do harm to your server and bring business loss for you.


  • But why these bug got his name as GHOST that is the first question coming in my mind
    There is function on Linux OS called as gethostbyname(), and this function is having a loophole in his coding using which a attacker can do his tricks on remote server for which he have access.                                              
    So, its actually G-Host but pronounced as GHOST

    • Next question comes in my mind is which Linux version are affected by this bug
    So as per my study below are the list of OS which are affected by this bug.

       Debian 7 (wheezy)
       Red Hat Enterprise Linux 5, 6 & 7
       CentOS 6 & 7
       Ubuntu 12.04



    • Next question comes in my mind is , OK i know the OS version, but how i know my server is actually affected by this bug, how to check which glibc or nscd version packages are installed on server (I know as Non-Technical person, these question does not comes to everyone mind, you just want to get rid of this bullshit :D,which is understood)      
    On initial Investigation from my end, I have found below data, If the version of glibc matches, or is more recent than the ones listed here, system are safe from the GHOST vulnerability:

       CentOS 6: glibc-2.12-1.149.el6_6.5
       CentOS 7: glibc-2.17-55.el7_0.5
       RHEL 5: glibc-2.5-123.el5_11.1
       RHEL 6: glibc-2.12-1.149.el6_6.5
       RHEL 7: glibc-2.17-55.el7_0.5

                       
    • What is the resolution to fix this.
    Update glibc to the latest versions and after that you need to reboot your server or simply need to restart the services which are using the glibc and nscd binaries on server. You can check which services on the server are using glibc and nscd binaries by running below command

    # lsof +c0 -d DEL | awk 'NR==1 || /libc-/ {print $2,$1,$4,$NF}' | column -t



      Its Up to you if you can afford the major downtime or minimal downtime, either by rebooting the server or by just restarting the services using glibc binaries
      .




      GHOST Bug



      •  How to check vulnerability after applying fix. 
      # wget -OGHOST.c https://gist.githubusercontent.com/koelling/ef9b2b9d0be6d6dbab63/raw/de1730049198c64eaf8f8ab015a3c8b23b63fd34/gistfile1.c
      # gcc -o GHOST GHOST.c
      #./GHOST



      • If the target is vulnerable, you will see output similar to:
      Installed glibc version(s)
      - glibc-2.12-1.149.el6.x86_64: vulnerable
      - glibc-2.12-1.149.el6.i686: vulnerable
      This system is vulnerable to CVE-2015-0235

      That`s all for now folks :) , keep your servers safe. if you don`t want to spent time on above  steps, you can reach to me for further assistance


      ====================================X============X=================================================

      Contact support@linuxforeveryone for any Freelancing work on Linux Servers

      Subscribe my YouTube Channel 

      Like My Facebook Page 

      Browse the Best in class Web Hosting Plans

      Comments

      1. AnonymousWednesday, September 21, 2016 at 5:36:00 AM PDT

        Nice article .... Interesting Topic

        ReplyDelete
      2. UnknownWednesday, April 25, 2018 at 1:55:00 AM PDT


        I have been browsing online more than 3 hours today, yet I never found any interesting article like yours. It is pretty worth enough for me. Personally, if all webmasters and bloggers made good content as you did, the web will be much more useful than ever before. gmail login

        ReplyDelete
      3. Linux For Every OneWednesday, April 25, 2018 at 11:02:00 AM PDT

        thanks for the motivational words Oskar! glad you liked it and you spent your time writing about this page. thanks again :)

        ReplyDelete

      Post a Comment

      Popular posts from this blog

      Multiple instances of redis

      By Er.Susheel
      In the last post I have covered how to install redis server on Centos/Rhel using rpm method and yum method and some troubleshooting skills. In this post i am going to cover how to install and configure redis to run with multiple ports.                                                                           But why we need more ports ? If you have read my earlier post , you already know that by default redis runs on single port 6379, which any one can use it for small website to cache the data. But for heavy website like magento we need to use additional ports along with 6379 to serve different cache from different ports. Like in Magento there is simple cache which is normally stored under /var/cache directory. Then there is Full Page Cache which is stored under /var/full_page_cache...
      35 comments
      Read more

      arbtd: Package isn't signed with proper key

      By Linux For Every One
        If you are System Admin and worked on linux machine or servers in your current job or in past. Chances are you might come across linux service abrtd, even if you have not worked on it. but might be through some other work. same thing happened to me, while I was doing my regular work of installing php packages on linux  servers , i came across this error for which spent couple of hours actually to resolve it. T he error was 
      Post a Comment
      Read more

      Resolving IP SKU Requirements When Adding Azure VMs to Load Balancers

      By Linux For Every One
      When it comes to configuring Azure Virtual Machines (VMs) within a Load Balancer (LB) environment, there are essential requirements that need to be addressed to ensure optimal performance and reliability. One common challenge faced by Azure users is the necessity of configuring IP SKUs correctly. In this blog post, we'll explore this requirement, its importance, and provide a solution to address it effectively. Understanding the IP SKU Requirement   The IP SKU (Service Key Update) requirement plays a pivotal role in the proper functioning of your Azure infrastructure, particularly within the context of Load Balancers. Here's what you need to know : IP Should Be in Standard SKU When adding Azure VMs to a Load Balancer, it's highly recommended to utilize public IP addresses configured with the Standard SKU. The Standard SKU offers an array of advanced capabilities, including enhanced traffic management and load balancing options. By using Standard SKU, you ensure a higher deg...
      Post a Comment
      Read more