Page 1 of 2 12 LastLast
Results 1 to 20 of 29

Thread: GHOST glibc Linux Remote Code Execution Vulnerability / gethostbyname CVE-2015-0235

  1. #1
    Join Date
    Feb 2008
    Posts
    133

    Exclamation GHOST glibc Linux Remote Code Execution Vulnerability / gethostbyname CVE-2015-0235

    It appears we have yet another sleepy crawly creepy bug lurking in the depths of our linux boxes..
    A Gblic bug that was not identified as a security bug, perhaps a true y2k bug is effecting us now..
    Possible exim.. and more.. in any case a remote execution possibility for many systems...

    I guess it is time to emergency patch all the server again as soon as the patches come available.
    As i read all distros are releasing / building patches for it.

    source: http://www.openwall.com/lists/oss-security/2015/01/27/9
    source: http://www.zdnet.com/article/critica...ty-hole-found/

    --[ 1 - Summary ]-------------------------------------------------------------

    During a code audit performed internally at Qualys, we discovered a
    buffer overflow in the __nss_hostname_digits_dots() function of the GNU
    C Library (glibc). This bug is reachable both locally and remotely via
    the gethostbyname*() functions, so we decided to analyze it -- and its
    impact -- thoroughly, and named this vulnerability "GHOST".

    Our main conclusions are:

    - Via gethostbyname() or gethostbyname2(), the overflowed buffer is
    located in the heap. Via gethostbyname_r() or gethostbyname2_r(), the
    overflowed buffer is caller-supplied (and may therefore be located in
    the heap, stack, .data, .bss, etc; however, we have seen no such call
    in practice).

    - At most sizeof(char *) bytes can be overwritten (ie, 4 bytes on 32-bit
    machines, and 8 bytes on 64-bit machines). Bytes can be overwritten
    only with digits ('0'...'9'), dots ('.'), and a terminating null
    character ('\0').

    - Despite these limitations, arbitrary code execution can be achieved.
    As a proof of concept, we developed a full-fledged remote exploit
    against the Exim mail server, bypassing all existing protections
    (ASLR, PIE, and NX) on both 32-bit and 64-bit machines. We will
    publish our exploit as a Metasploit module in the near future.

    - The first vulnerable version of the GNU C Library is glibc-2.2,
    released on November 10, 2000.

    - We identified a number of factors that mitigate the impact of this
    bug. In particular, we discovered that it was fixed on May 21, 2013
    (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it
    was not recognized as a security threat; as a result, most stable and
    long-term-support distributions were left exposed (and still are):
    Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7,
    Ubuntu 12.04, for example.

    Read more...
    Other sources :
    https://threatpost.com/ghost-glibc-r...systems/110679
    https://bugzilla.redhat.com/show_bug...=CVE-2015-0235
    Last edited by soulshepard; 01-28-2015 at 05:46 AM.

  2. #2
    Join Date
    Feb 2005
    Location
    The Netherlands
    Posts
    394
    Interesting bit as well:

    The Exim mail server is exploitable remotely if configured to perform
    extra security checks on the HELO and EHLO commands ("helo_verify_hosts"
    or "helo_try_verify_hosts" option, or "verify = helo" ACL); we developed
    a reliable and fully-functional exploit that bypasses all existing
    protections (ASLR, PIE, NX) on 32-bit and 64-bit machines.

  3. #3
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,750
    TransIP reports:

    Debian has already released a patch and we expect the other Linux distributions to follow suit within the next few hours.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  4. #4
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,750
    CentOS:

    The exploit is fixed in glibc-2.12-1.149.el6

    Update glibc


    To mitigate the issue, please update to the latest version of glibc:
    Code:
    yum clean all && yum update "glibc*"
    Version glibc-2.12-1.149.el6 and up is not affected, so be sure you are at this patch level. If your yum repository does not have this update yet, it may still be rsyncing, or yet to rsync.

    https://www.centosblog.com/critical-...tch-glibc-now/

    After glibc update you should restart all the services (which use the lib), or reboot a server.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  5. #5
    Join Date
    Feb 2008
    Posts
    133

    update instructions

    Disclaimer: allways backup, check & test before you start updating or upgrading!, especially in production/hosting enviroments

    Some patch hints:

    CentOS

    Selective update:
    Code:
       yum clean all && yum update "glibc*"
       sudo reboot
    Do all updates:
    Code:
       yum update
       sudo reboot

    Debian 7 / Ubuntu (older then 13.10) / Turnkey Linux

    selective update:
    Code:
       sudo apt-get update && apt-get -y install libc6
       sudo reboot
    Do all updates:
    Code:
      sudo apt-get update && sudo apt-get upgrade
      sudo reboot
    Debian 6

    If you do not use LTS support , then you first need to change the sources.list. To add the option to get new user contributed updates.

    Code:
    /etc/apt/sources.list
    add the following:
    Code:
    deb http://security.debian.org/ squeeze/updates main contrib non-free
    deb-src http://security.debian.org/ squeeze/updates main contrib non-free
    then you can use:

    selective update:
    Code:
    apt-get update && apt-get -y install libc6
    sudo reboot
    complete update:
    Code:
    sudo apt-get update && sudo apt-get upgrade
    sudo reboot
    Caution: i have not tested Debian 6, but the above would enable the update.
    As allways be careful and backup / test things before you start this.

    And while you are busy with this then you can also check if the shellshock patch gas been applied .. for the people who "forgot"

    Centos:

    selective update:
    Code:
    sudo yum update bash -y
    Debian:

    selective update:
    Code:
    sudo apt-get update && sudo apt-get install --only-upgrade bash
    check:
    Code:
    env 'VAR=() { :;}; echo Bash is vulnerable!' 'FUNCTION()=() { :;}; echo Bash is vulnerable!' bash -c "echo Bash Test"
    Last edited by soulshepard; 01-28-2015 at 06:25 AM. Reason: fixed text

  6. #6
    Join Date
    Feb 2008
    Posts
    133
    more test info:

    source: http://bobcares.com/blog/ghost-hunti...linux-servers/

    Code:
    If your glibc version is lower than 2.18, you should assume that your server is vulnerable. You can check the version as given below:
    
    find /lib/ -name libc.so.*
    /lib/libc.so.6
    GNU C Library stable release version 2.12, by Roland McGrath et al.
    Last edited by soulshepard; 01-28-2015 at 02:26 AM.

  7. #7
    Join Date
    Feb 2008
    Posts
    133
    also another nice post with explenation:

    source: http://www.zdnet.com/article/critica...ty-hole-found/

    Code:
    To exploit this vulnerability, all an attacker needs to do is trigger a buffer overflow by using an invalid hostname argument to an application that performs a DNS resolution. This vulnerability then enables a remote attacker to execute arbitrary code with the permissions of the user running DNS. In short, once an attacker has exploited GHOST they may be capable of taking over the system.
    Code:
    My advice to you is to now, not later today, now, update your Linux system as soon as possible. After patching it, you should then reboot the system. I know for Linux it's rarely needed to reboot, but since gethostbyname is called on by so many core processes, such as auditd, dbus-daem, dhclient, init, master, mysqld, rsyslogd, sshd, udevd, and xinetd, you want to make absolutely sure that all your system's running programs are using the patched code.

  8. #8
    Join Date
    Feb 2008
    Posts
    133
    source: http://seclists.org/oss-sec/2015/q1/283

    As i read the following daemons are not vulnerable and were tested by Qualys.
    As it appears Exim is the most affected.

    Code:
    Here is a list of potential targets that we investigated (they all call
    gethostbyname, one way or another), but to the best of our knowledge,
    the buffer overflow cannot be triggered in any of them:
    
    apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql,
    nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd,
    pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers,
    vsftpd, xinetd.
    
    That being said, we believe it would be interesting if other people
    could have a look, just in case we missed something.

  9. #9
    Join Date
    Feb 2005
    Location
    Hong Kong
    Posts
    136
    a small question -

    Do we need to run custombuild recompile apache, exim, dovecot, etc with the latest glibc library?

    or simply yum update is sufficient enough?

    Sorry, I have little knowledge on the compiler and library.

    Thank you very much.
    Regards

  10. #10
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,750
    According to this:

    Code:
    lsof | grep libc
    you do *not* require to rebuild software after the glibc update.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  11. #11
    Join Date
    May 2008
    Location
    The Netherlands
    Posts
    1,192
    Quote Originally Posted by ccto View Post
    a small question -

    Do we need to run custombuild recompile apache, exim, dovecot, etc with the latest glibc library?

    or simply yum update is sufficient enough?

    Sorry, I have little knowledge on the compiler and library.

    Thank you very much.
    Regards
    No but you do need to restart all services, or simply the server as mentioned a few times in the thread already.

    The reason for this is that services load in the library when they start, if you change/update the lib afterwards it doesn't affect the running services.
    ~ Arieh

  12. #12
    Join Date
    Apr 2009
    Posts
    2,424
    @ccto, you should restart all services that uses glibc after you have run yum update, or you could reboot the server to make sure all services are restarted.

    Also follow the discussion at webhostingtalk.com at http://www.webhostingtalk.com/showthread.php?t=1450048

    If I was you, I would just run:
    Code:
    service exim restart
    And then wait for the new kernel before you reboot, so you don't have to reboot two times in short periode. It was released a new kernel to RedHat yesterday, but it is not yet available in CentOS: https://rhn.redhat.com/errata/RHSA-2015-0087.html Should be available in CentOS shortly.

    It is most important to restart exim, read more in the announcement from exim maillist here: https://lists.exim.org/lurker/messag...6f32f2.en.html

  13. #13
    Join Date
    Jan 2007
    Posts
    347
    Quote Originally Posted by ditto View Post
    It is most important to restart exim, read more in the announcement from exim maillist here: https://lists.exim.org/lurker/messag...6f32f2.en.html
    To protect Exim against the HELO/EHLO attack vector, do *not* set either
    of these in the main configuration:

    helo_verify_hosts
    helo_try_verify_hosts


    and do *not* use the following in any ACLs:

    verify = helo
    I believe by default, exim in directadmin install doesn't have those set. Right?

  14. #14
    Join Date
    Sep 2008
    Location
    London UK
    Posts
    1,747
    libc6 is already the newest version.
    Debian 6..... What do I need to do extra?

  15. #15
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,750
    Please check Debian 6 section here: #5

    and check this:

    Code:
    wget https://gist.githubusercontent.com/koelling/ef9b2b9d0be6d6dbab63/raw/de1730049198c64eaf8f8ab015a3c8b23b63fd34/gistfile1.c
    gcc gistfile1.c -o CVE-2015-0235
    
    ./CVE-2015-0235
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  16. #16
    Join Date
    Sep 2008
    Location
    London UK
    Posts
    1,747
    Quote Originally Posted by zEitEr View Post
    Please check Debian 6 section here: #5
    I did add the extra source but same outcome

  17. #17
    Join Date
    Apr 2005
    Location
    GMT +7.00
    Posts
    13,750
    Switch to Debian LTS then: https://wiki.debian.org/LTS/Using#Us..._.286.0.29_LTS and run update.
    Regards, Alex G.

    - Get the best commercial DirectAdmin support and hire me on poralix.com
    - Follow and like @Poralix on Facebook

  18. #18
    Join Date
    Sep 2008
    Location
    London UK
    Posts
    1,747
    Quote Originally Posted by zEitEr View Post
    Switch to Debian LTS then and run update.
    Ok, that did the trick

  19. #19
    Join Date
    Oct 2004
    Location
    A Coruña, Spain
    Posts
    6,786
    Is the reboot required after the update?

    Regards
    SeLLeRoNe - Andrea Iannucci
    Head of Managed Service - Senior DevOps Engineer
    If you need my support write me an E-Mail to Support@CrazyNetwork.it

  20. #20
    Join Date
    Feb 2005
    Location
    The Netherlands
    Posts
    394
    Quote Originally Posted by SeLLeRoNe View Post
    Is the reboot required after the update?

    Regards
    Nope, but restarting all services would take longer in most cases.

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •