GHOST Bug-CVE-2015-0235

We are living in world, where we heard lots of  ransom ware being asked by digital thief by doing attack on organization who are weak at securing their Important sites ,specially e-commerce sites which are beard earner for them :) 

Digital thief's take advantages of loopholes on such website and keep their bug on the server on which these sites are hosted or being run.

Where on other hand , Good guys spending their day and night to look for the loopholes if any OS/application is having and making awareness among people so that they cannot be victim of digital crime.

Talking about bugs, recently we come across a bug called as GHOST which is identified by some Good guys. And as said in the Link , these bug is present on Linux flavor servers having glibc and nscd packages installed on the Linux server. This bug is given a CVE number as CVE-2015-0235 (to provide a common name for publicly available cyber threats) 

• But its really matter to bother about this bug, why i have to care about this bug

The vulnerability is a buffer overflow in the gethostbyname() and gethostbyname2() functions of glibc, potentially resulting in arbitrary code execution. If any attacker got successful to exploit these vulnerability on your server by any MItM attack, they he can do harm to your server and bring business loss for you.

• But why these bug got his name as GHOST that is the first question coming in my mind

There is function on Linux OS called as gethostbyname(), and this function is having a loophole in his coding using which a attacker can do his tricks on remote server for which he have access.                                               So, its actually G-Host but pronounced as GHOST

• Next question comes in my mind is which Linux version are affected by this bug

So as per my study below are the list of OS which are affected by this bug.    Debian 7 (wheezy)    Red Hat Enterprise Linux 5, 6 & 7    CentOS 6 & 7    Ubuntu 12.04

• Next question comes in my mind is , OK i know the OS version, but how i know my server is actually affected by this bug, how to check which glibc or nscd version packages are installed on server (I know as Non-Technical person, these question does not comes to everyone mind, you just want to get rid of this bullshit :D,which is understood)      

On initial Investigation from my end, I have found below data, If the version of glibc matches, or is more recent than the ones listed here, system are safe from the GHOST vulnerability:    CentOS 6: glibc-2.12-1.149.el6_6.5    CentOS 7: glibc-2.17-55.el7_0.5    RHEL 5: glibc-2.5-123.el5_11.1    RHEL 6: glibc-2.12-1.149.el6_6.5    RHEL 7: glibc-2.17-55.el7_0.5

                   

• What is the resolution to fix this.

Update glibc to the latest versions and after that you need to reboot your server or simply need to restart the services which are using the glibc and nscd binaries on server. You can check which services on the server are using glibc and nscd binaries by running below command # lsof +c0 -d DEL | awk 'NR==1 || /libc-/ {print $2,$1,$4,$NF}' | column -t

Its Up to you if you can afford the major downtime or minimal downtime, either by rebooting the server or by just restarting the services using glibc binaries

.

GHOST Bug

•  How to check vulnerability after applying fix. 

# wget -OGHOST.c https://gist.githubusercontent.com/koelling/ef9b2b9d0be6d6dbab63/raw/de1730049198c64eaf8f8ab015a3c8b23b63fd34/gistfile1.c # gcc -o GHOST GHOST.c #./GHOST

• If the target is vulnerable, you will see output similar to:

Installed glibc version(s) - glibc-2.12-1.149.el6.x86_64: vulnerable - glibc-2.12-1.149.el6.i686: vulnerable This system is vulnerable to CVE-2015-0235

That`s all for now folks :) , keep your servers safe. if you don`t want to spent time on above  steps, you can reach to me for further assistance