On January 27th, Qualys announced that they have uncovered a buffer overflow type of vulnerability in the __nss_hostname_digits_dots() function of the GNU C Library (glibc). It is exploitable via the gethostbyname*() glibc functions, hence its pseudonym: GHOST.
The issue was introduced in glibc version 2.2, dating back to November 2000 and has been fixed before the release of glibc-2.18 in May 2013. However, most of the Linux distributions did not include the new version in the repository at the time, so the fix did not propagate.
i. Firstly, what it implies (quoting from RedHat’s errata here )
A remote attacker able to make an application call, either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.
ii. How to find out the installed version of glibc :
To find out if you are exposed, check for example the version of ldd, a utility that comes with the glibc package :
iii. How to fix
The fix consists of simply updating the glibc package(make sure to clean the repos before) and rebooting the system(given that bash and sshd, amongst others, are using the GNU C libs) .
We’ve taken the time to analyze the security bulletins issued by the major cloud providers and Linux distributors in order to see which of them have added the updated versions and the summary is as follows:
iii.i. Unaffected versions : Ubuntu 14.04 ( which comes with glibc 2.18)
iii.ii Affected versions: all the rest (unfortunately) – including Debian Wheezy/Squeeze , Ubuntu 12.04, Centos 6-7 , Amazon Linux 2014.09 , RedHat 5-7 , etc.
However , most of the Linux distributors have backported patches into their updated glibc packages to address the problem, so here are the useful links to the relevant package versions and additional info:
1. Amazon Linux :
– Amazon Linux OS : https://alas.aws.amazon.com/ALAS-2015-473.html
– Amazon Linux Elastic Beanstalk environments – how to patch : https://forums.aws.amazon.com/ann.jspa?annID=2855
4.Centos : According to their forum , all updates for CentOS 5, 6 and 7 have been released and are distributed to mirrors.
Wishing all smooth upgrades,