Upgrading glibc for the GHOST Vulnerability

Traducciones al Español
Estamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
Create a Linode account to try this guide with a $ credit.
This credit will be applied to any valid services used during your first  days.

GHOST is a vulnerability that was announced on January 27th 2015, which affects the glibc library on Linux systems. This vulnerability affects all Linux distributions running versions of glibc older than 2.18, and exploits a buffer overflow in the __nss_hostname_digits_dots() function. This guide will tell you how to safely upgrade your Linux distributions and secure your Linode against the GHOST vulnerability.

For reference, glibc is a full implementation of the C and C++ libraries and was developed by the GNU Project. It is used within all major Linux distributions.

What is the GHOST Vulnerability?

GHOST vulnerability is a critical bug that affected versions of glibc that were commonly being used in 2015. With the GHOST vulnerability, an attacker can execute any code they want by leveraging user level permissions.

This vulnerability mainly affected gethostbyname2() and gethostbyname() functions in glibc. These functions convert a hostname to an IPv4 addresses and were commonly used across most networking software. As part of these functions, the function __nss_hostname_digits_dots() was used to determine if the given value is already an IPv4 address. When given a value that’s longer than an expected IPv4 address, the function results in a buffer overflow. This can crash the program and may ultimately allow an attacker to gain control of the system.

How to Patch and Protect Unix Systems Against the glibc GHOST Vulnerability?

To patch and protect your Unix systems using GHOST vulnerable glibc, simply update the glibc versions.

How to Find Packages or Applications That Depend on glibc?

To find packages or applications on your system that depend on vulnerable glibc, run the following command:

    lsof | grep libc | awk ‘{print $1}’ | sort | uniq

This gives you the list of packages and applications in the output on your terminal.

Versions and Distributions Impacted by the GHOST Vulnerability

The following glibc library versions and Linux distributions were impacted by the GHOST vulnerability.

glibc versions:

  • glibc-2.17
  • glibc-2.18
  • glibc-2.19
  • glibc-2.2

Linux distributions (and other operating systems):

  • Debian 7
  • Red Hat Enterprise Linux 6 & 7
  • Centos 6 & 7
  • Ubuntu 12.04
  • Majority of the BSD variants expect for Mac OSX, OpenBSD, FreeBSD

There following Linux distributions are not affected by the GHOST vulnerability:

  • Fedora 20 and newer
  • Ubuntu 14.04 and newer
  • Arch
  • openSUSE 13.2 and newer

Prior unsupported versions of the listed distributions may not have patches available. It is recommended to upgrade any systems still running unsupported distributions.

Determining the Installed glibc Version

You can check the version of glibc on your system using your package manager.

Debian and Ubuntu

To check the version of glibc on your system, run the following command. In the output, look for the line beginning with Version::

# aptitude show libc6
Package: libc6
State: installed
Automatically installed: no
Multi-Arch: same
Version: 2.13-38+deb7u6
Priority: required
Section: libs
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Architecture: amd64
Uncompressed Size: 9,687 k
Depends: libc-bin (= 2.13-38+deb7u6), libgcc1
Suggests: glibc-doc, debconf | debconf-2.0, locales
Conflicts: prelink (<= 0.0.20090311-1), tzdata (< 2007k-1), tzdata-etch
Breaks: locales (< 2.13), locales-all (< 2.13), lsb-core (<= 3.2-27), nscd (< 2.13)
Replaces: libc6-amd64
Provides: glibc-2.13-1
Description: Embedded GNU C Library: Shared libraries
 Contains the standard libraries that are used by nearly all programs on the system. This package includes shared versions of the standard C library and the
 standard math library, as well as many others.
Homepage: http://www.eglibc.org

On Debian 7 systems, versions of glibc earlier than 2.13-38+deb7u7 are vulnerable, and on Ubuntu 12.04, versions before 2.15-0ubuntu10.10.

CentOS 6 & 7

To check the version of glibc on your system, run the following command. In the output, look for the line beginning with Release: under the Installed Packages heading:

# yum info glibc

....

Installed Packages
Name        : glibc
Arch        : x86_64
Version     : 2.17
Release     : 55.el7_0.1
Size        : 13 M
Repo        : installed
From repo   : updates
Summary     : The GNU libc libraries
URL         : http://www.gnu.org/software/glibc/
License     : LGPLv2+ and LGPLv2+ with exceptions and GPLv2+
Description : The glibc package contains standard libraries which are used by
            : multiple programs on the system. In order to save disk space and
            : memory, as well as to make upgrading easier, common system code is
            : kept in one place and shared between programs. This particular package
            : contains the most important sets of shared libraries: the standard C
            : library and the standard math library. Without these two libraries, a
            : Linux system will not function.

On CentOS 7 systems, versions of glibc before glibc-2.17-55.el7_0.5 are vulnerable, and on CentOS 6 versions before glibc-2.12-1.149.el6_6.5.

Testing with GCC For The GHOST Vulnerability

The original security advisory for CVE-2015-0235 included the following code to test for the vulnerability. This method requires that you have gcc installed on your system. If you don’t, you can install it from your package manager, or use the alternate check above.

  1. Create a GHOST.c file with the following contents.

    File: ~/GHOST.c
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    
    #include <netdb.h>
    #include <stdio.h>
    #include <stdlib.h>
    #include <string.h>
    #include <errno.h>
    
    # define CANARY "in_the_coal_mine"
    
    struct {
      char buffer[1024];
      char canary[sizeof(CANARY)];
    } temp = { "buffer", CANARY };
    
    int main(void) {
      struct hostent resbuf;
      struct hostent *result;
      int herrno;
      int retval;
    
      /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
      size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
      char name[sizeof(temp.buffer)];
      memset(name, '0', len);
      name[len] = '\0';
    
      retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
    
      if (strcmp(temp.canary, CANARY) != 0) {
        puts("vulnerable");
        exit(EXIT_SUCCESS);
      }
      if (retval == ERANGE) {
        puts("not vulnerable");
        exit(EXIT_SUCCESS);
      }
      puts("should not happen");
      exit(EXIT_FAILURE);
    }
  2. Compile the script.

    gcc GHOST.c -o GHOST
    
  3. Execute the compiled GHOST script. Your terminal should print “vulnerable” or “not vulnerable” depending on your system’s status.

    ./GHOST
    

Remediation: Upgrading glibc to Protect Against the Ghost Vulnerability

Below is the relevant information for upgrading glibc and ensuring that your Linode is no longer vulnerable to the bug. Each section is designed for individual distributions. The sections are written with the assumption that you have root access or sudo privileges. If you do not, you will not be able to run these commands.

Note
You will need to reboot after completing your upgrade to ensure that the vulnerable code no longer remains in your system memory. Once you have rebooted, we would recommend re-running the script created in the Testing with GCC section to confirm that the patch has been applied

Upgrading glibc On Ubuntu and Debian

To upgrade glibc on Ubuntu and Debian, run these commands to update and upgrade via the package manager. If you are not running as the root user, prepend sudo to each command:

Caution
If you have packages that have older dependencies, you may want to utilize apt-get with the upgrade flag, rather than dist-upgrade. This will prevent packages with older dependencies from being removed from your system. If using this method, be sure to check your command output to ensure that the patched version of glibc is actually installed.
apt-get update
apt-get dist-upgrade

Upgrading glibc On CentOS and Fedora

To upgrade glibc on yum based systems such as CentOS and Fedora, run these commands to update and upgrade via the package manager. If you are not running as the root user, prepend sudo to each command:

yum clean all
yum update

The command yum upgrade will also update the glibc version as well as remove previous obsolete packages.

How To Update glibc without Yum?

If for some reason you don’t have access to the yum package manager, you can update glibc from rpm instead. To upgrade your glibc using rpm, download relevant glibc files. For example, you can download the following to update to the 2.17 version:

  • glibc-devel-2.17-317.el7.i686.rpm
  • glibc-common-2.32-2.fc33.x86_64.rpm
  • glibc-headers-2.28-141.el8.x86_64.rpm
  • glibc-2.28-141.el8.x86_64.rpm
  • nscd-2.28-141.el8.x86_64.rpm

Once you have these files on your system. You can run the following command to update your glibc version:

rpm -Uvh *.rpm

Running the above command will update all .rpm files in your system.

More Information

You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.

This page was originally published on


Your Feedback Is Important

Let us know if this guide was helpful to you.


Join the conversation.
Read other comments or post your own below. Comments must be respectful, constructive, and relevant to the topic of the guide. Do not post external links or advertisements. Before posting, consider if your comment would be better addressed by contacting our Support team or asking on our Community Site.