See all GNU/Linux related FAQ
A very serious security problem has been found in the GNU C Library (Glibc) called GHOST. How can I fix GHOST vulnerability and protect my Linux server against the attack? How do I verify that my server has been fixed against the Glibc GHOST vulnerability?

A very serious security problem has been found and patched in the GNU C Library called Glibc. It was announced on 27th January 2015.
Advertisement

What is the GHOST security bug?

[donotprint]
Tutorial details
Difficulty level Easy
Root privileges Yes
Requirements Linux+reboot required
Est. reading time 2 minutes
[/donotprint] From the RHEL bugzilla:

A heap-based buffer overflow was found in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call. A remote attacker could use this flaw to execute arbitary code with the permissions of the user running the application.

A mailing list entry with more details, including in-depth analysis and exploit vectors is here.

What C library (Glibc) version does my Linux system use?

The easiest way to check the version number is to run the following command:

ldd --version

Sample outputs from RHEL/CentOS Linux v6.6:

ldd (GNU libc) 2.12
Copyright (C) 2010 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

Sample outputs from Ubuntu Linux 12.04.5 LTS:

ldd (Ubuntu EGLIBC 2.15-0ubuntu10.9) 2.15
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

Sample outputs from Debian Linux v7.8:

ldd (Debian EGLIBC 2.13-38+deb7u6) 2.13
Copyright (C) 2011 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

A list of affected Linux distros

  • RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x
  • CentOS Linux version 5.x, 6.x & 7.x
  • Ubuntu Linux version 10.04, 12.04 LTS
  • Debian Linux version 7.x
  • Linux Mint version 13.0
  • Fedora Linux version 19 or older
  • SUSE Linux Enterprise 11 and older (also OpenSuse Linux 11 or older versions).
  • SUSE Linux Enterprise Software Development Kit 11 SP3
  • SUSE Linux Enterprise Server 11 SP3 for VMware
  • SUSE Linux Enterprise Server 11 SP3
  • SUSE Linux Enterprise Server 11 SP2 LTSS
  • SUSE Linux Enterprise Server 11 SP1 LTSS
  • SUSE Linux Enterprise Server 10 SP4 LTSS
  • SUSE Linux Enterprise Desktop 11 SP3
  • Arch Linux glibc version <= 2.18-1

GHOST vulnerability check

You can test or reproduce the bug using the following C code:

/* ghosttest.c:  GHOST vulnerability tester */
/* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
 
#define CANARY "in_the_coal_mine"
 
struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };
 
int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;
 
  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';
 
  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
 
  if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
  }
  if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
  }
  puts("should not happen");
  exit(EXIT_FAILURE);
}

Compile and run it as follows:

$ gcc ghosttest.c -o ghosttest
$ ./ghosttest

Sample outputs from patched Debian v7.8 server:

not vulnerable

Sample outputs from unpatched Ubuntu 12.04 LTS server:

vulnerable

How do list packages/applications depends upon vulnerable Glibc?

Type the following lsof command:

lsof | grep libc | awk '{print $1}' | sort | uniq

Sample outputs from my Debian Linux v7.x nas:

Fig.01: Linux find all the services/applications that rely on the GNU C libraries (Glibc) command

Fig.01: Linux find all the services/applications that rely on the GNU C libraries (Glibc) command

Fix the GHOST vulnerability on a CentOS/RHEL/Fedora/Scientific Linux

Type the following yum command as the root user:

sudo yum clean all
sudo yum update

Finally, reboot RHEL/SL/Fedora/CentOS Linux server by typing the following command:

### Sysadmin should plan on updating as soon as possible or use maintenance reboot window ##
sudo reboot

Sample outputs:

Fig.02 Fix the GHOST vulnerability on a CentOS/RHEL/Fedora/Scientific Linux

Fig.02 Fix the GHOST vulnerability on a CentOS/RHEL/Fedora/Scientific Linux

Fix the GHOST vulnerability on a Ubuntu Linux

Type the following apt-get command as the root user:

sudo apt-get clean
sudo apt-get update
sudo apt-get upgrade
## only run dist-upgrade on a Ubuntu if you want to upgrade kernel too
##sudo apt-get dist-upgrade

Finally, reboot Ubuntu Linux server by typing the following command:

sudo reboot

Sample outputs:

Fig.03: Fix the GHOST vulnerability on a Ubuntu Linux LTS

Fig.03: Fix the GHOST vulnerability on a Ubuntu Linux LTS

Fix the GHOST vulnerability on a Debian Linux

Type the following apt-get command as the root user:

sudo apt-get clean
sudo apt-get update
sudo apt-get upgrade
##No need to do dist-upgrade (see man page: man apt-get)
##sudo apt-get dist-upgrade

Finally, reboot Debian Linux server by typing the following command:

sudo reboot

Sample session:

Gif 01: Fix the GHOST vulnerability on a Debian Linux server

Gif 01: Fix the GHOST vulnerability on a Debian Linux server

Fix the GHOST vulnerability on a SUSE Linux Enterprise

To install this SUSE Security Update use YaST online_update. Or use the following commands as per your version:

SUSE Linux Enterprise Software Development Kit 11 SP3

zypper in -t patch sdksp3-glibc-10206

SUSE Linux Enterprise Server 11 SP3 for VMware

zypper in -t patch slessp3-glibc-10206

SUSE Linux Enterprise Server 11 SP3

zypper in -t patch slessp3-glibc-10206

SUSE Linux Enterprise Server 11 SP2 LTSS

zypper in -t patch slessp2-glibc-10204

SUSE Linux Enterprise Server 11 SP1 LTSS

zypper in -t patch slessp1-glibc-10202

SUSE Linux Enterprise Desktop 11 SP3

zypper in -t patch sledsp3-glibc-10206

Finally run for all SUSE linux version to bring your system up-to-date:

zypper patch

Fix the GHOST vulnerability on a OpenSUSE Linux

To see a list of available updates including glibc on a OpenSUSE Linux, enter:
# zypper lu
To simply update installed glibc packages with their newer available versions, run:

# zypper up

How can I verify that my Linux system no longer vulnerable after the reboot?

Method #1: The easiest way to check vulnerability and/or confirm remediation is to run the following command to verify that you are running an updated version of Glibc:
$ ldd --version

Method #2: Run the instructions given in the previous section called GHOST vulnerability check (generic method for all Linux based systems).

Method #3: If you are RHN subscriber see the Red Hat Access Lab: GHOST tool (only for RHEL/CentOS/SL systems – download link):

#!/bin/bash
# rhel-GHOST-test.sh -  GHOST vulnerability tester. Only for CentOS/RHEL based servers.  #
# Version 3
# Credit : Red Hat, Inc - https://access.redhat.com/labs/ghost/ #
echo "Installed glibc version(s)"
 
rv=0
for glibc_nvr in $( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do
    glibc_ver=$( echo "$glibc_nvr" | awk -F- '{ print $2 }' )
    glibc_maj=$( echo "$glibc_ver" | awk -F. '{ print $1 }')
    glibc_min=$( echo "$glibc_ver" | awk -F. '{ print $2 }')
 
    echo -n "- $glibc_nvr: "
    if [ "$glibc_maj" -gt 2   -o  \
        \( "$glibc_maj" -eq 2  -a  "$glibc_min" -ge 18 \) ]; then
        # fixed upstream version
        echo 'not vulnerable'
    else
        # all RHEL updates include CVE in rpm %changelog
        if rpm -q --changelog "$glibc_nvr" | grep -q 'CVE-2015-0235'; then
            echo "not vulnerable"
        else
            echo "vulnerable"
            rv=1
        fi
    fi
done
 
if [ $rv -ne 0 ]; then
    cat <<EOF
 
This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Please refer to <https://access.redhat.com/articles/1332213> for remediation steps
EOF
fi
 
exit $rv

Sample outputs from patched RHEL v6.8 server:

bash rhel-GHOST-test.sh 
Installed glibc version(s)
- glibc-2.12-1.149.el6_6.5.x86_64: not vulnerable
- glibc-2.12-1.149.el6_6.5.i686: not vulnerable
This entry is 2 of 2 in the Linux GHOST Glibc Critical Security Vulnerability series. Keep reading the rest of the series:
  1. Check Ghost Vulnerability Test Programs
  2. Secure and Patch Your Linux Server For Ghost Bug

🥺 Was this helpful? Please add a comment to show your appreciation or feedback.

nixCrat Tux Pixel Penguin
Hi! 🤠
I'm Vivek Gite, and I write about Linux, macOS, Unix, IT, programming, infosec, and open source. Subscribe to my RSS feed or email newsletter for updates.

129 comments… add one
  • Gordon Delgado Feb 12, 2015 @ 19:26

    OK, so you tell me how:

    “The easiest way to check the version number is to run the following command:
    ldd –version”

    …but you don’t tell me what versions are vulnerable.

    -1

    • 🛡️ Vivek Gite (Author and Admin) nixCraft Feb 12, 2015 @ 20:17

      Distro: Version
      Ubuntu 12.04 LTS: 2.15-0ubuntu10.10
      Ubuntu 10.04 LTS: 2.11.1-0ubuntu7.20
      Debian 7 LTS: 2.13-38+deb7u7
      CentOS 5: glibc-2.5-123.el5_11.1
      CentOS 6: glibc-2.12-1.149.el6_6.5
      CentOS 7: glibc-2.17-55.el7_0.5
      RHEL 5: glibc-2.5-123.el5_11.1
      RHEL 6: glibc-2.12-1.149.el6_6.5
      RHEL 7: glibc-2.17-55.el7_0.5

      • MoChaMan Feb 12, 2015 @ 20:42

        I think NixCraft has posted a list of the patched versions of GLIBC not the vulnerable versions. These RPMs are the latest, all uploaded on 27 January 2015 so I don’t believe they’re vulnerable. Thanks to NixCraft / Vivek Gite for creating an excellent site full of great tutorials.

        • 🛡️ Vivek Gite (Author and Admin) nixCraft Feb 13, 2015 @ 7:00

          Thank you for the kind words!

  • amol Feb 15, 2015 @ 15:12

    I’ve CentOS 6.0 server with glibc-2.12-1.7.el6.x86_64. Now if I update it to glibc-2.12-1.149.el6_6.5, do I need to recompile my C/C++ apps ?

    • Cody Feb 9, 2016 @ 2:02

      For future reference:

      You would only have to recompile them if you statically link to the affected libraries. If you don’t know whether it is statically linked (or what that means) you’re probably OK (though there are ways to check but I won’t get into those).

      Otherwise you’d only have to restart whatever uses the libraries (or if they aren’t loaded then you shouldn’t need to do anything at all other than update the libraries).

  • Tdv Mar 5, 2015 @ 22:48

    I ran the gcc command on Ubuntu Server 8, and it says gcc is not installed. It suggests running apt-get install gcc. But that doesn’t work, since no packages can be downloaded to 8. Should I just do what Jim suggests 5 posts up, for really old legacy servers??

    • Jim Mar 6, 2015 @ 15:11

      Ubuntu 8.04 LTS can easily be upgraded to 10.04 LTS
      And 10.04 LTS is still supported for a few months, so has all the necessary updates.

      You may need to add some new sources to your apt config:
      https://help.ubuntu.com/community/EOLUpgrades

      • Tdv Mar 6, 2015 @ 17:20

        Thanks so much, Jim!

  • Gaz Mar 7, 2015 @ 13:02

    Maybe I’ve overlooked this already in the thread, but is there an offline installer to patch RHEL 5? I’m unable to allow internet access to our servers in question, so YUM etc is out of the question. Any help appreciated, thank!

    • yamo' Mar 7, 2015 @ 14:15
      • Gaz Mar 7, 2015 @ 14:19

        Thanks for the link, but I don’t think it helps me as I cant access the internet from my RHEL 5 servers. I’m looking for a link to download the rpm’s from, maybe in tar / zip format?

        • yamo' Mar 7, 2015 @ 16:54

          Don’t you have another RHEL 5 to download the file? Or ask to Oracle support the rpm file(s).

          • Gaz Mar 7, 2015 @ 16:56

            Unfortunately I don’t have any RHEL servers in the DMZ to download from, that’s my main issue. I’ll see if Oracle can provide us the required rpm’s, I was just hoping to get them from my windows laptop, though this isn’t looking likely. Thanks for your help anyway

            • MoChaMan Mar 7, 2015 @ 17:40

              My suggestion is to go to a CentOS 5 mirror and download the required RPMs manually to some other machine, then copy the RPMs to a USB key which you can then insert in the server in question. I like to use the Rackspace mirror. Here’s the link to the x86_64 RPMs:

              http://mirror.rackspace.com/centos/5/updates/x86_64/RPMS/

              I don’t have the full list of RPMs you need but you can keep running:

              rpm –test -Uvh *.rpm

              until the upgrade goes cleanly, then remove –test.

  • Raghu Rao May 1, 2015 @ 16:36

    Hi,
    We have SUSE Linux. As per this I have to run the following
    SUSE Linux Enterprise Server 11 SP2 LTSS: zypper in -t patch slessp2-glibc-10204
    However, due to firewall if I cannot do an update what are all the packages that I need to download for this? and what are the zypper commands to apply those packages? Appreciate any help in this regard.

    Thanks!

  • me1122 Jun 6, 2015 @ 9:12

    Hi,

    I want to solve Ghost vulnerability on Fedora release 8 (Werewolf), but it is vulnerable after running update commands. please guide me.

    thanks in advance.

    • Cody Feb 9, 2016 @ 1:55

      Seriously? You’re using Fedora 8 in 2015 ? That’s incredibly irresponsible and even if you aren’t concerned for your own network (and shame on you for your recklessness) it affects devices across the Internet (right good job making the Internet even less safe than it already has to be). To be using Fedora 8 in 2015… I really hope you’re not an administrator and frankly you’re just as bad as those still using Windows 9x (or more recently XP) – and shouldn’t be allowed to use computers (or any Internet capable device – if not more than that). I’d go so far as to say you shouldn’t be allowed to do a lot more than just use a computer but I’ll not get into that.

      I’m not going to even remark on the rest of your message because you have far more serious problems than CVEs for some years …

  • Cody Feb 9, 2016 @ 1:49

    Yeah, it’s old but I want to point several things out.

    Rebooting is only necessary for this if you don’t know how shared libraries work (and/or for some reason you ‘cannot’ restart a service). In the case a binary links it statically they would have to recompile it anyway (and therefore restart the service .. sort of like when dynamically linked but with the latter it is only necessary to compile the library) and in the case of dynamic you need only restart the service.

    Furthermore the bug was for older socket code i.e. those that use (as the report indicates) gethostby* family in this case. I can’t remember the last time I used a struct hostent and it’s been declared obsolete for years (and POSIX-1.2008 removed the specification). I’m not saying that nothing uses it (I’m aware of some services that do) but it’s not as common as it used to be (this was also true when this CVE was published).

    In addition, the only time you need reboot a server (unsure on Windows and I don’t deal with Macs but more likely to match Linux as it’s based on NeXTSTEP and some BSD (?)) is if you need to load a kernel. I’m obviously ignoring specific cases like changing SELinux (disabling, enabling, …) and I’m also ignoring hardware (e.g. not hot swappable) upgrades (whatever); I’m only talking about software updates. There are perhaps some rare exceptions but this is all part of the beauty of shared libraries (and other things).

    Lastly, on the subject of different distributions keep in mind that:

    a) some will backport fixes (CentOS does this frequently as it maintains stability due to not have so many updates – and it is for a server after all) i.e. it patches in the fixes (of the more recent release) into the old (hence ‘backport’). Yes this means you might have an update despite what the version claims and in addition (and this is really important!!) you shouldn’t assume (ever, really) that you don’t have the updates; if you’re going to use a binary distribution don’t mix how you install things into the system (user specific or when there isn’t a package is one thing but assuming you don’t have the latest simply because the version is an older version is incorrect).

    b) (As a general point to consider) sometimes a distribution will have a different version (openssl comes to mind here with one of the recent CVEs) and therefore won’t need to be updated.

Leave a Reply

Your email address will not be published. Required fields are marked *

Use HTML <pre>...</pre> for code samples. Your comment will appear only after approval by the site admin.