Jump to content

Linux zero-day vulnerability - Important information for Linux servers

Recommended Posts

I received this securitybulletin minutes ago:

Today, a critical security vulnerability affecting many versions of Linux was released. As this can possibly lead to remote code execution, our advisory is to patch your system -NOW- and not later today, if you should find that the version of Linux you are using is vulnerable. 

The vulnerability is called GHOST and was found by Qualys security labs. It affects the function "gethostbyname" which is used by many programs to fetch the IP of a hostname. To our knowledge, at least the following Linux distributions are affected (PLEASE CHECK YOUR OS EVEN IF NOT LISTED):

  • Ubuntu 10.04/12.04

  • Debian 7

  • CentOS 6 and 7 (potentially 5 as well)

  • SLES 11

If you are unsure: You can find a script which will check your system at http://i.yt.gl/get/44ecc/pseet.zip
unzip the package, then chmod +x GHOST-vuln-check.sh -> now simply ./GHOST-vuln-check.sh and you should get information if your system is vulnerable. (We take no warranty that this script works for you, we are not liable for damage.) 

Please note: You WILL NEED to restart your system. We know that this is unusual on Linux, but the respective function is used within core components. Therefor, to ensure that your server is not at any risk, please restart your server after installing the patch.

Link to comment
Share on other sites

Yes, on CentOS 6.5 x64, glibc was updated this morning:


 Package                                    Arch                           Version                                              ==================================================================================================
 glibc                                      x86_64                         2.12-1.149.el6_6.5                                   
 glibc-common                               x86_64                         2.12-1.149.el6_6.5                                   
 glibc-devel                                x86_64                         2.12-1.149.el6_6.5                                   
 glibc-headers                              x86_64                         2.12-1.149.el6_6.5                                   


Testscript results: not vulnerable :thumbsup:

Link to comment
Share on other sites

Possible attack vectors

The gethostbyname() call is probably among the most used ones on a server. That means any kind of DNS resolve can be used to trigger the CVE. The only catch is, you need to control whatever DNS is being resolved.

That could mean;

  • Mailservers using reverse DNS lookups on connecting IPs (DNS Blacklisting, SPF checks, ...)
  • Form submits that allow user content which results in a DNS lookup, think URLs, WordPress XML-RPC pingbacks, ...
  • MySQL servers doing authentication checks based on hostnames (in MySQL privileges)
  • SSH servers that perform DNS lookups for authentication allow/deny rules

For a more in-depth look, including code examples, have a look at the Qualys mailing list entry which covers the situation more in-depth.

Any kind of DNS lookup can potentially trigger this. The only "positive" thing is that the exploit doesn't immediately escalate privileges, you're still the same user that ran the command. But there are ways of doing privilege escalation of course. And non-privileged users are still valuable assets for DDoS attacks, making server inventories


You can use this command to check which services use libc and restart them :

for s in $(lsof | grep libc | awk '{print $1}' | sort | uniq); do if [[ -f "/etc/init.d/$s" && "$(ps aufx | grep -v grep | grep $s)" ]]; then echo $s; service $s restart; fi; done


Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...