Upgrading glibc for the GHOST Vulnerability
Traducciones al EspañolEstamos traduciendo nuestros guías y tutoriales al Español. Es posible que usted esté viendo una traducción generada automáticamente. Estamos trabajando con traductores profesionales para verificar las traducciones de nuestro sitio web. Este proyecto es un trabajo en curso.
GHOST is a vulnerability that was announced on January 27th 2015, which affects the glibc library on Linux systems. This vulnerability affects all Linux distributions running versions of glibc older than 2.18, and exploits a buffer overflow in the __nss_hostname_digits_dots()
function. This guide will tell you how to safely upgrade your Linux distributions and secure your Linode against the GHOST vulnerability.
For reference, glibc is a full implementation of the C and C++ libraries and was developed by the GNU Project. It is used within all major Linux distributions.
What is the GHOST Vulnerability?
GHOST vulnerability is a critical bug that affected versions of glibc that were commonly being used in 2015. With the GHOST vulnerability, an attacker can execute any code they want by leveraging user level permissions.
This vulnerability mainly affected gethostbyname2()
and gethostbyname()
functions in glibc. These functions convert a hostname to an IPv4 addresses and were commonly used across most networking software. As part of these functions, the function __nss_hostname_digits_dots()
was used to determine if the given value is already an IPv4 address. When given a value that’s longer than an expected IPv4 address, the function results in a buffer overflow. This can crash the program and may ultimately allow an attacker to gain control of the system.
How to Patch and Protect Unix Systems Against the glibc GHOST Vulnerability?
To patch and protect your Unix systems using GHOST vulnerable glibc, simply update the glibc versions.
How to Find Packages or Applications That Depend on glibc?
To find packages or applications on your system that depend on vulnerable glibc, run the following command:
lsof | grep libc | awk ‘{print $1}’ | sort | uniq
This gives you the list of packages and applications in the output on your terminal.
Versions and Distributions Impacted by the GHOST Vulnerability
The following glibc library versions and Linux distributions were impacted by the GHOST vulnerability.
glibc versions:
- glibc-2.17
- glibc-2.18
- glibc-2.19
- glibc-2.2
Linux distributions (and other operating systems):
- Debian 7
- Red Hat Enterprise Linux 6 & 7
- Centos 6 & 7
- Ubuntu 12.04
- Majority of the BSD variants expect for Mac OSX, OpenBSD, FreeBSD
There following Linux distributions are not affected by the GHOST vulnerability:
- Fedora 20 and newer
- Ubuntu 14.04 and newer
- Arch
- openSUSE 13.2 and newer
Prior unsupported versions of the listed distributions may not have patches available. It is recommended to upgrade any systems still running unsupported distributions.
Determining the Installed glibc Version
You can check the version of glibc on your system using your package manager.
Debian and Ubuntu
To check the version of glibc on your system, run the following command. In the output, look for the line beginning with Version:
:
# aptitude show libc6
Package: libc6
State: installed
Automatically installed: no
Multi-Arch: same
Version: 2.13-38+deb7u6
Priority: required
Section: libs
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Architecture: amd64
Uncompressed Size: 9,687 k
Depends: libc-bin (= 2.13-38+deb7u6), libgcc1
Suggests: glibc-doc, debconf | debconf-2.0, locales
Conflicts: prelink (<= 0.0.20090311-1), tzdata (< 2007k-1), tzdata-etch
Breaks: locales (< 2.13), locales-all (< 2.13), lsb-core (<= 3.2-27), nscd (< 2.13)
Replaces: libc6-amd64
Provides: glibc-2.13-1
Description: Embedded GNU C Library: Shared libraries
Contains the standard libraries that are used by nearly all programs on the system. This package includes shared versions of the standard C library and the
standard math library, as well as many others.
Homepage: http://www.eglibc.org
On Debian 7 systems, versions of glibc earlier than 2.13-38+deb7u7
are vulnerable, and on Ubuntu 12.04, versions before 2.15-0ubuntu10.10
.
CentOS 6 & 7
To check the version of glibc on your system, run the following command. In the output, look for the line beginning with Release:
under the Installed Packages
heading:
# yum info glibc
....
Installed Packages
Name : glibc
Arch : x86_64
Version : 2.17
Release : 55.el7_0.1
Size : 13 M
Repo : installed
From repo : updates
Summary : The GNU libc libraries
URL : http://www.gnu.org/software/glibc/
License : LGPLv2+ and LGPLv2+ with exceptions and GPLv2+
Description : The glibc package contains standard libraries which are used by
: multiple programs on the system. In order to save disk space and
: memory, as well as to make upgrading easier, common system code is
: kept in one place and shared between programs. This particular package
: contains the most important sets of shared libraries: the standard C
: library and the standard math library. Without these two libraries, a
: Linux system will not function.
On CentOS 7 systems, versions of glibc before glibc-2.17-55.el7_0.5
are vulnerable, and on CentOS 6 versions before glibc-2.12-1.149.el6_6.5
.
Testing with GCC For The GHOST Vulnerability
The original security advisory for CVE-2015-0235 included the following code to test for the vulnerability. This method requires that you have gcc
installed on your system. If you don’t, you can install it from your package manager, or use the alternate check above.
Create a
GHOST.c
file with the following contents.- File: ~/GHOST.c
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38
#include <netdb.h> #include <stdio.h> #include <stdlib.h> #include <string.h> #include <errno.h> # define CANARY "in_the_coal_mine" struct { char buffer[1024]; char canary[sizeof(CANARY)]; } temp = { "buffer", CANARY }; int main(void) { struct hostent resbuf; struct hostent *result; int herrno; int retval; /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/ size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1; char name[sizeof(temp.buffer)]; memset(name, '0', len); name[len] = '\0'; retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno); if (strcmp(temp.canary, CANARY) != 0) { puts("vulnerable"); exit(EXIT_SUCCESS); } if (retval == ERANGE) { puts("not vulnerable"); exit(EXIT_SUCCESS); } puts("should not happen"); exit(EXIT_FAILURE); }
Compile the script.
gcc GHOST.c -o GHOST
Execute the compiled GHOST script. Your terminal should print “vulnerable” or “not vulnerable” depending on your system’s status.
./GHOST
Remediation: Upgrading glibc to Protect Against the Ghost Vulnerability
Below is the relevant information for upgrading glibc and ensuring that your Linode is no longer vulnerable to the bug. Each section is designed for individual distributions. The sections are written with the assumption that you have root access or sudo privileges. If you do not, you will not be able to run these commands.
NoteYou will need to reboot after completing your upgrade to ensure that the vulnerable code no longer remains in your system memory. Once you have rebooted, we would recommend re-running the script created in the Testing with GCC section to confirm that the patch has been applied
Upgrading glibc On Ubuntu and Debian
To upgrade glibc on Ubuntu and Debian, run these commands to update and upgrade via the package manager. If you are not running as the root user, prepend sudo
to each command:
CautionIf you have packages that have older dependencies, you may want to utilize apt-get with the upgrade flag, rather than dist-upgrade. This will prevent packages with older dependencies from being removed from your system. If using this method, be sure to check your command output to ensure that the patched version of glibc is actually installed.
apt-get update
apt-get dist-upgrade
Upgrading glibc On CentOS and Fedora
To upgrade glibc on yum based systems such as CentOS and Fedora, run these commands to update and upgrade via the package manager. If you are not running as the root user, prepend sudo
to each command:
yum clean all
yum update
The command yum upgrade
will also update the glibc version as well as remove previous obsolete packages.
How To Update glibc without Yum?
If for some reason you don’t have access to the yum package manager, you can update glibc from rpm instead. To upgrade your glibc using rpm, download relevant glibc files. For example, you can download the following to update to the 2.17 version:
- glibc-devel-2.17-317.el7.i686.rpm
- glibc-common-2.32-2.fc33.x86_64.rpm
- glibc-headers-2.28-141.el8.x86_64.rpm
- glibc-2.28-141.el8.x86_64.rpm
- nscd-2.28-141.el8.x86_64.rpm
Once you have these files on your system. You can run the following command to update your glibc version:
rpm -Uvh *.rpm
Running the above command will update all .rpm files in your system.
More Information
You may wish to consult the following resources for additional information on this topic. While these are provided in the hope that they will be useful, please note that we cannot vouch for the accuracy or timeliness of externally hosted materials.
This page was originally published on