CVE-2015-0235: GHOST in the GNU C Library

Ghost Vulnerability

A critical vulnerability is discovered in GNU C Library (glibc). The GNU C Library, commonly known as glibc, is the GNU Project’s implementation of the C standard library and a core part of the Linux operating system.

GNU C Library (glibc) is used in most of the Linux distributions, which is prone to a heap-based buffer overflow vulnerability and allows local and remote attackers to execute arbitrary code on the vulnerable systems. The vulnerability was discovered by researchers at Qualys. CVE-2015-0235 has been assigned to this vulnerability.

The vulnerability exists in the __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls, hence the name GHOST (GetHOST) vulnerability. The vulnerability can be triggered via gethostbyname() and gethostbyname2() functions. Successful exploitation allows local/remote attackers to execute arbitrary code. Also attacker can bypass security protections mechanism like NX, ASLR and PIE on both 32-bit and 64-bit systems successfully.

GNU C Library (glibc) is used in most of the Linux based appliances from different vendors and it’s a core component for Linux systems. Similar to Heartbleed, Shellshock and POODLE, this affects wide range of applications. Due to it’s nature and wide range of affected products it’s rated as critical vulnerability.

According to Qualys this bug was fixed in 2013 as a minor bug fix but not as security fix, hence vendors using glibc library at that time have ignored to update, as a result, many stable and LTS (long term support) distributions are affected by this vulnerability including Debian 7, RHEL 6 & 7, CentOS 6 & 7, Ubuntu 12.04 etc.

Simple steps to check GNU C Library is vulnerable:

  1. We can download a tool from the University of Chicago that will let us test our system for the vulnerability.
    • wget
  2. Run Following commands:
    • gcc GHOST.c -o GHOST
    • ./GHOST
  3. The above command responds whether the system is vulnerable OR not vulnerable
    • vulnerable

We strongly suggest applying the latest available patches from your vendors as soon as possible and you need to reboot for changes to take effect.

SecPod Saner detects these vulnerabilities and automatically fixes them by applying security updates. Download Saner now and keep your systems updated and secure.

– Kumarswamy S

Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments