Pierluigi Paganini February 08, 2015

Researchers at Veracode discovered that nearly 41% of enterprise applications using GNU C Library employ the Ghost-ridden ‘gethostbyname’ function.

GNU C Library (glibc) vulnerability, named as the GHOST vulnerability, was released by Qualys Guard on 27th January 2015. Severity of this vulnerability is “CRITICAL” and listed in CVE database as CVE-2015-0235. Vulnerability is termed as GHOST because it let attacker take control of the victim’s system remotely by exploiting a buffer overflow bug in glibc’s gethostbyname( ) functions.

As per Application security vendor Veracode, cloud-based scanning services find that 41% of its customers uses the GNU C library, aka glibc and found the gethostbyname function vulnerable.

Veracode rated this vulnerability as highly Critical, as 80% of applications like financial transaction applications or application that access sensitive databases uses glibc library and which could be victim of GHOST vulnerability.

It resolves hostname to IPv4 address and connects to client by creating socket. When gethostbyname( ) function failed to calculate size of data while DNS resolving and so enough memory is not allocated, hence it results buffer overflow. However, it is now replaced by getaddrinfo( ) function.

Location of library in different linux distribution are following for example for CentOS , location are /lib/libc.so.6 and for Ubuntu /usr/lib/x86-64-linuxgnu/libc.so. The systems which are vulnerable to GHOST are GNU C Library prior to glibc- 2.18, Ubuntu 12.04, Debian 7, Red hat Enterprise linux 6 & 7 , CentOS 6 & 7.

Let’s test your systems are vulnerable to GHOST.

The first step is to check which version of glibc is present in system.

To find Version of glibc in Ubuntu and Debian, you need to run command ldd –version. It shows the version of EGLIBC, a variant of glibc on Ubuntu and Debian systems. System is vulnerable to GHOST if version of EGLIBC is older than below listed versions Ubuntu 12.04 LTS – 2.15-0 ubuntu10.10 and Debian 7 LTS – 2.13-38+deb7u7. To find Version of

To find Version of glibc in CentOS and RHEL, you need to run command rpm -q glibc .System is vulnerable to GHOST if version of EGLIBC is older than below listed versions CentOS 6 – glibc-2.12-1.149.el6_6.5, CentOS 7 – glibc-2.17-55.el7_0.5, RHEL 6 – glibc-2.12-1.149.el6_6.5 and RHEL 7 – glibc-2.17-55.el7_0.5.

If you find system is vulnerable to GHOST, it should be patched as all patches has been realesed.

GHOST vulnerability can be addressed by updating the version of glibc.

For Ubuntu and Debian, run command sudo apt-get update and sudo apt-get dist-upgrade. After updating you need to reboot the system using command sudo reboot .

For Ubuntu and Debian

• sudo apt-get update
• sudo apt-get dist -upgrade 
• Press “Y“
• Reboot the system using command sudo reboot 

For CentOS and RHEL, run command sudo yum update glibc .After updating you need to reboot the system using command sudo reboot or manually which ever you like more.

• sudo yum update glibc Press “Y” Step
• Press “Y”Reboot the system using command
• Reboot the system using command sudo reboot

Software that initiate network connection, log processing and mail or spam filtering can be vulnerable to GHOST as it uses gethostbyname( ) function.initiate network connection, log processing and mail or spam filtering can be vulnerable to GHOST as it uses gethostbyname( ) function.

Veracode found that 72% of applications which is written in C or C++ are potentially vulnerable to GHOST, even they also found that application written in Java, .NET, and PHP are also vulnerable to GHOST.

(Security Affairs –  Ghost vulnerability, Linux)