GHOST: glibc vulnerability (CVE-2015-0235)
Red Hat Product Security has been made aware of a critical vulnerability in the glibc library, which has been assigned CVE-2015-0235 and is commonly referred to as 'GHOST'. All versions of glibc shipped with all variants of Red Hat Enterprise Linux are affected.
Background Information
GHOST is a 'buffer overflow' bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application.
Impact
The gethostbyname() function calls are used for DNS resolving, which is a very common event. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution.
Determining Vulnerability
As a Red Hat customer, the easiest way to check for the vulnerability and confirm remediation is the Red Hat Access Lab: glibc (GHOST) Detector. Please make sure that you have installed the correct version prior and if you are downloading the package for RHEL 4, you must be subscribed to the ELS channel or have downloaded the ELS version of the package. The RHEL 4 non-ELS subscription version will show a "vulnerable" message.
Resolution
To eliminate the possibility of an exploit:
1. Update the glibc and nscd packages on your system using the packages released with the following errata:
- Red Hat Enterprise Linux Server 5: RHSA-2015:0090
- Red Hat Enterprise Linux Server (v. 6): RHSA-2015:0092
- Red Hat Enterprise Linux Server (v. 7): RHSA-2015:0092
- Red Hat Enterprise Linux Desktop 5: RHSA-2015:0090
- Red Hat Enterprise Linux Desktop 6: RHSA-2015:0092
- Red Hat Enterprise Linux Desktop 7: RHSA-2015:0092
- Red Hat Enterprise Linux HPC Node 6: RHSA-2015:0092
- Red Hat Enterprise Linux HPC Node 7: RHSA-2015:0092
- Red Hat Enterprise Linux Workstation 6: RHSA-2015:0092
- Red Hat Enterprise Linux Workstation 7: RHSA-2015:0092
- Red Hat Enterprise Linux Server EUS (v. 6.6): RHSA-2015:0092
- Red Hat Enterprise Linux Server EUS (v. 6.5): RHSA-2015:0099
- Red Hat Enterprise Linux Server EUS (v. 6.4): RHSA-2015:0099
- Red Hat Enterprise Linux Server EUS (v. 5.9): RHSA-2015:0099
- Red Hat Enterprise Linux ELS (v. 4): RHSA-2015:0101
- An active ELS subscription is required for access to this patch in RHEL 4. (What is the Red Hat Enterprise Linux Extended Life Cycle Support Add-On (ELS)?)
- Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active ELS subscription: Contact Sales.
2. Reboot the system or restart all affected services:
Because this vulnerability affects a large amount of applications on the system, the safest and recommended way to assure every application uses the updated glibc packages is to restart the system.
In case you are unable to restart the entire system after applying the update, execute the following command to list all running processes (not restricted to services) still using the old [in-memory] version of glibc on your system.
lsof +c0 -d DEL | awk 'NR==1 || /libc-/ {print $2,$1,$4,$NF}' | column -t
From the resulting list, identify the public-facing services and restart them. While this process may work as a temporary workaround, it is not supported by Red Hat and, should a problem arise, you will be requested to reboot the system before any troubleshooting begins.
78 Comments
We are currently working on and testing errata for RHEL 4, we will post an update for it as soon as it's ready. Thank you for your patience!
Hello Red Hat Support,
we're getting this on an old RHEL3 system and could not update until now due to a special application running on this server. Any recomandation?
$ ./GHOST-test.sh
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-1.148
Detected glibc version 2.3 revision 2
./GHOST-test.sh: line 21: 10#(2.17) > 10#(2.3): syntax error in expression (error token is "(2.17) > 10#(2.3)")
./GHOST-test.sh: line 25: 10#(2.17) < 10#(2.3): syntax error in expression (error token is "(2.17) < 10#(2.3)")
This system is vulnerable to CVE-2015-0235. https://access.redhat.com/security/cve/CVE-2015-0235
Please refer to https://access.redhat.com/articles/1332213 for remediation steps
$ cat /etc/redhat-release
Red Hat Enterprise Linux ES release 3 (Taroon Update 9)
Hi - can you please contact Global Support Services directly, contact details here: https://access.redhat.com/support/contact/technicalSupport/
This isn't a support forum and isn't routinely monitored by support.
Thank you Sean
Hi,
I'm getting this output when running the detector on RHEL4.
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-1.148
Detected glibc version 2.3 revision 4
./ghost.sh: line 21: 10#(2.17) > 10#(2.3): syntax error in expression (error token is "(2.17) > 10#(2.3)")
./ghost.sh: line 25: 10#(2.17) < 10#(2.3): syntax error in expression (error token is "(2.17) < 10#(2.3)")
This system is vulnerable to CVE-2015-0235. https://access.redhat.com/security/cve/CVE-2015-0235 Please refer to https://access.redhat.com/articles/1332213 for remediation steps
Or did I anything wrong?
The GHOST-test.sh script appears not to work properly? I've checked a system that the script says is NOT vulnerable, but yet the security errata is still applicable.
Version of glibc installed: 2.5-123
Version provided by the errata: 2.5-123.el5_11.1
I could see below update on recently updated machine..Is it effected Server release 6.6 (Santiago) ?
[root@XXXX~]# ./vulnertest.sh
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-1.148
Detected glibc version 2.12 revision 149
Not Vulnerable.
[root@XXXX ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.6 (Santiago)
The server isn't affected as it has the patch installed.
Hello Red Hat Support,
we're getting this on an old RHEL3 system and could not update until now due to a special application running on this server. Any recomantation?
$ ./GHOST-test.sh
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-1.148
Detected glibc version 2.3 revision 2
./GHOST-test.sh: line 21: 10#(2.17) > 10#(2.3): syntax error in expression (error token is "(2.17) > 10#(2.3)")
./GHOST-test.sh: line 25: 10#(2.17) < 10#(2.3): syntax error in expression (error token is "(2.17) < 10#(2.3)")
This system is vulnerable to CVE-2015-0235. https://access.redhat.com/security/cve/CVE-2015-0235
Please refer to https://access.redhat.com/articles/1332213 for remediation steps
$ cat /etc/redhat-release
Red Hat Enterprise Linux ES release 3 (Taroon Update 9)
We are currently using RHEL 5.7 and 6.3 and using glibc-2.12-1.132.el6_5.4 for 6.3 and glibc-2.5-118.el5_10.3 for 5.7. We would like to confirm is it must restart the system after apply this errata in our environment? thanks.
Since it's pretty tedious to find out the applications using the glibc library, for the safter side, it's recommended to restart the server.
Dear All,
Something is not good here. Red Hat claims that they fixed the issue with this errata: https://rhn.redhat.com/errata/RHSA-2015-0092.html (glibc-2.12-1.149.el6_6.5.x86_64.rpm) but some tester still says that my WS is vulnerable.
The suggestion is to check your systems with the GHOST-test.sh script. That script does not do anything but checks your glibc version:
BUT, it seems my RH is still vulnerable and I can prove it with the following two method (which tries to use the sec hole itself and not only tests the glibc version):
1)
2)
So, did Red Hat fixed this?
Opened a case with our TAM. Will report here.
Ok, so turned out that the GHOST-test.sh is wrong!
It says my WS is not vulnerable but it is actually!
I it running with highest priority, so I guess they will release a fixed version soon.
Until then use the following method to determine:
Balazs
Hi Balazs
I have done your clockdiff test on a few VMs I have here and nothing is returned despite one of them running version 2.12 rev 132 which is apparently vulnerable?
cheers
Darren
Hi Darren,
Hmm, I did not see this before. Then go for the tester written in C (see above).
Hi,
Thanks, C test works and shows patched one as OK and unpatched as vulnerable, rolling out patches to the others now
Thanks
The GHOST-test.sh script does not account for the RPM release version and reports glibc-2.12-1.149.el6.x86_64 is not vulnerable when it is, from https://rhn.redhat.com/errata/RHSA-2015-0092.html for RHEL6 x86_64 the release with the fix is "1.149.el6_6.5" and not just "1.149.el6".
My tests show everything is fine (freshly-built RHEL 6.6 VM):
I see that you already opened a case with your TAM - hopefully you'll be able to resolve this soon.
The problem is with the revision of the glibc package.
What I have installed is:
glibc-2.12-1.149.el6_6.4.x86_64
The fixed version is:
glibc-2.12-1.149.el6_6.5.x86_64
So glibc package with 1.149.el6_6.4 revision is still vulnerable but with 1.149.el6_6.5 revision is not anymore.
The GHOST-tester.sh ignores the last part of the revision and this is wrong!
According to the script, the system is not vulnerable if the revision is higher then 1.148 (in case of RHEL6). Actually, the system is not vulnerable if the revision of glibc is higher or equal to 1.149.el6_6.5 (in case of RHEL6).
Balazs
P.S.: Official answer from our RH TAM:
Hi Balazs,
please note that the GHOST script provided by Red Hat is faulty and does not work correctly. Make sure to update to https://access.redhat.com/node/1333263 as all previous versions are vulnerable.
Even if the script got the rpm versions right, surely it's misleading to claim the system isn't vulnerable without checking the start date of relevant daemons against the time of the update.
If you're going to check whether you have packages without the update, and aren't going to try an exploit, surely the way to do it is something like this, which is meant to be a one-liner:
Note that there's another problem: if you rely on updates via yum --security, you won't get the fix on RHEL6.6 https://bugzilla.redhat.com/show_bug.cgi?id=1186717.
What I've seen recently is making me think the people who've lectured me about auto-updating RHEL systems are (now?) right.
Bullet 1 contains "1.Update the glibc and ncsd packages" shouldn't this be: glibc and NSCD?
Hi Daniel,
Yes, thanks. It's been fixed.
On RHEL 5.11 the GHOST-test.sh script incorrectly reports the system as Not Vulnerable if you have glibc-2.5-123 installed rather than glibc-2.5-123.el5_11.1.
i.e.:
[root@uos-t-rhtm-07 install]# ./GHOST-test.sh
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-1.148
Detected glibc version 2.5 revision 123
Not Vulnerable.
[root@uos-t-rhtm-07 install]# rpm -qa glibc
glibc-2.5-123
glibc-2.5-123
[root@uos-t-rhtm-07 install]# ./GHOST
vulnerable
Please can this be checked so people know whether they should patch or not.
Thanks.
TG
See my comment above.
Balazs
Thanks for that. We will continue with patching our systems.
Are you also going to release updates for 6.5.z and 5.9.z or do I have to rush updates now?
Hi Gunter, 6.5.z and 5.9.z will get the updates.
After updating the GLIBC pkg, is a reboot required?
Thanks
Hi Beverly,
All that needs to be done is a restart of the services that use glibc but it is safer to do a reboot as there can be quite a few.
Well, in theory not but then you have to make sure that you restart manually all of your processes which are using it :)
The needs-restarting command could help you.
In my case:
In this particular case: -
$needs-restarting
1 : /sbin/init
...
Basically the init process uses glibc and therefore also needs restarting, which by implication means the server needs rebooting. Of course that is assuming there is an attack vector via the init process, rather than programs such as sendmail, but it's the only belt-and-braces solution in the absence of full knowledge of the attack surface.
Thanks. Is there any easy way of identifying all the services that use glibc?
See my comment above
I believe that running the below command will do it but a reboot is recommended by Red Hat:
lsof | grep libc | awk '{print $1}' | sort | uniq
edit: Or as Balazs says above
What about the compat-glibc packages? I would assume they are also vulnerable?
Hi Christina, at this stage there are not plans to update compat-glibc packages. If there is a need for these packages to be fixed for some software that depends on them, then we can revisit this topic.
KB solution regarding
compat-glibc: Is compat-glibc affected by GHOST, glibc vulnerability (CVE-2015-0235).Kindly provide us to download gblic solution packages for redhat 6.5. We are already using .z repo.
This is really much difficult to sync many repository.
Advise me how can i download those solution packages for redhat 6.5 which is supported by redhat.
Thanks in advance
For you information we are using glibc-2.12-1.132.el6.x86_64.rpm version in redhat 6.5 servers.
I'm assuming since this is glibc a reboot after update would be ideal, but is it necessary to close off the vuln?
Thanks!
Hi Kodiak,
In theory, it would be enough to just restart any affected services (that use the
gethostbynamefunctions), but since there are so many, it is advisable to reboot.Hi Subramanian,
have a look here for RHEL6/7 Updated Packages:
https://access.redhat.com/errata/product/69/ver=/rhel---6/i386/RHSA-2015:0092
Regards
Looks like the page at https://access.redhat.com/labs/ghost/ that had the link to the test script has been pulled. Now it produces a 404 error.
Charlie D.
Hi Charlie,
OLD: The test script was faulty, and it is now being rewritten. This article (and discussion) will be updated when it's ready for use.
The detection script has been fixed, and the lab is available again: GHOST - gethostbyname Detector.
I'm experiencing the same issues after patching. Script appears to report vulnerable after installing the proper Errata.
Hi Brandon,
OLD: Please, disregard the script for now -- it doesn't work as it's supposed to. A new script is being prepared now.
The detection script has been fixed, and the lab is available again: GHOST - gethostbyname Detector.
That said, if you installed packages from the relevant erratum, your glibc should be safe (after reboot).
Updates are published for the current active minor releases 7.0, 6.6, 5.11. For prior minor releases, you typically need an entitlement for Extended Update Support. Without that, you may not be able to download it.
Name : glibc
Version : 2.12
Release : 1.149.el6_6.5 Build Date: Tue 27 Jan 2015 02:38:55 PM EST
Install Date: Wed 28 Jan 2015 10:40:53 AM EST
I did update the glibc pack, so is this the version it should be updated? I run the script but its showing vuln. I got that script is faulty. I just want to know that is this the version it should be updated.
Thanks
Hi everybody,
The detection script has been fixed, and the lab is available again: GHOST - gethostbyname Detector .
I confirm this new version does a better job than the previous one.
Servers that were detected as "not vulnerable" are now detected as "vulnerable", which is true,
Thanks, it seems to be working now.
We need to install below packages or just glibc?
Redhat 5 X86_64:
#rpm –Uvh /var/tmp/glibc-2.5-123.el5_11.1.x86_64.rpm
rpm –Uvh /var/tmp/glibc-common-2.5-123.el5_11.1.x86_64.rpm
Redhat 6 x86_64
rpm –Uvh /var/tmp/glibc-2.12-1.149.el6_6.5.x86_64.rpm
rpm –Uvh /var/tmp/glibc-common-2.12-1.149.el6_6.5.x86_64.rpm
It's glibc that's vulnerable. But when it's being updated, glibc-common also needs to be updated.
Please use yum which will take of the dependency part.
Sorry for repeating what has already been stated, but I need a more clean and definitive answer. Can we expect the patch to be back-ported to 6.5 and when? I have my release locked to 6.5 and this is what I am getting.
Nothing showing new under the RHEL 6 repo when locked to 6.5.
yum install yum-plugin-security
yum clean all
yum repolist -v
yum update --advisory=RHSA-2015:0099
If you have problems beyond this, please open a support ticket.
Thanks, but as you can see in my previous output, "Loaded plugins: ...,security,...", the security plugin is already installed. I had already cleaned my metadata and deleted all contents in /var/cache/yum/. "yum updateinfo list sec" returns nothing.
I have used subscription-manager to set my release to 6.5, is that going to be a problem? If so, and setting your release to a version prevents bugfix and errata updates from being available, then what good is locking to a minor release?
Can you simply answer the question as to whether or not this is or will be back ported to 6.5?
Hi Chad,
Updated packages for RHEL Server 6.5 AUS and RHEL Server 6.5.z EUS are available through RHSA-2015:0099.
If you cannot install the packages from that advisory, please, open a support ticket as Matt suggested.
Chad,
If you're locked to 6.5 then yum update will not help you. This is because your 'locked' 6.5 release (which was released a couple of months or so ago) does not know about this errata (which has been released just now). You need to install the errata either manually (ugly) or to add it to your 'locked' 6.5 release somehow. I prefer the second method. You can simply create a child channel (call it errata_for_6.5) and set its parrent to be the channel that holds your 'locked' 6.5 release. Then add the packages related to this errata to the child channel. Go to the client, refresh the yum cache and the errata packages will become 'visible'. The reason I prefer this method is that I do not have to modify my base 'locked' release every time a new errata comes along. I just add the errata packages to the child channel. Obviously, if the packages from the errata depend on packages that are not in your 'locked' release, you have to include them in the child channel. If you follow up this method, in time you could diverge quite substantially from your 'locked' base release, but hey, you are diverting from it anyway the moment you install an errata :)
Curious, do you think I am using the versionlock yum plugin or using subscription-manager to set/lock my release? I am doing the later... in this case. To my way of thinking, if you lock to a release, say 6.5, then any security errata should still be available for the packages in the 6.5 release that are affected. Having to go grab the packages and drop them in my local repo is a PITA. Oh well. Thanks for the info, but if it comes to that, then I would rather just unlock my release. Thanks again.
RHEL 6.5 is no longer the active release. You need to either update to RHEL 6.6 or obtain EUS entitlements.
https://access.redhat.com/support/policy/updates/errata/#Extended_Update_Support
Without an active EUS entitlement, you will not see updates to previous minor releases.
Thanks, I have had a Premium service-level ticket open for hours with a severity of High(2) and yet to have get a response on how to apply a EUS entitlement. Any suggestions? I know if I were in RHN Classic, I could easily manage my base channel, but I can find no such option for RHSM managed systems.
IfI use below. Is there any issue?
$rpm –Uvh glibc-2.12-1.149.el6_6.5.x86_64.rpm
There's no issue. But again, it's recommended to use yum, which will take care of the dependencies if any.
Make sure to update nscd also as described in the above article.
./ghost.sh
Installed glibc version(s)
- glibc-2.5-123.x86_64: vulnerable
- glibc-2.5-123.i686: vulnerable
This system is vulnerable to CVE-2015-0235. https://access.redhat.com/security/cve/CVE-2015-0235
Please refer to https://access.redhat.com/articles/1332213 for remediation steps
[root@ld2 Ghost]# rpm -qi glibc
Name : glibc Relocations: (not relocatable)
Version : 2.5 Vendor: Red Hat, Inc.
Release : 123 Build Date: Tue 26 Aug 2014 12:02:48 PM CDT
Install Date: Tue 14 Oct 2014 11:52:46 AM CDT Build Host: x86-027.build.eng.bos.redhat.com
Group : System Environment/Libraries Source RPM: glibc-2.5-123.src.rpm
Size : 11690192 License: LGPL
Signature : DSA/SHA1, Wed 27 Aug 2014 04:17:14 AM CDT, Key ID 5326810137017186
Packager : Red Hat, Inc. http://bugzilla.redhat.com/bugzilla
Summary : The GNU libc libraries.
Description :
The glibc package contains standard libraries which are used by
multiple programs on the system. In order to save disk space and
memory, as well as to make upgrading easier, common system code is
kept in one place and shared between programs. This particular package
contains the most important sets of shared libraries: the standard C
library and the standard math library. Without these two libraries, a
Linux system will not function.
Name : glibc Relocations: (not relocatable)
Version : 2.5 Vendor: Red Hat, Inc.
Release : 123 Build Date: Tue 26 Aug 2014 12:17:01 PM CDT
Install Date: Tue 14 Oct 2014 11:54:21 AM CDT Build Host: x86-002.build.bos.redhat.com
Group : System Environment/Libraries Source RPM: glibc-2.5-123.src.rpm
Size : 13032544 License: LGPL
Signature : DSA/SHA1, Wed 27 Aug 2014 04:17:14 AM CDT, Key ID 5326810137017186
Packager : Red Hat, Inc. http://bugzilla.redhat.com/bugzilla
Summary : The GNU libc libraries.
Description :
The glibc package contains standard libraries which are used by
multiple programs on the system. In order to save disk space and
memory, as well as to make upgrading easier, common system code is
kept in one place and shared between programs. This particular package
contains the most important sets of shared libraries: the standard C
library and the standard math library. Without these two libraries, a
Linux system will not function.
2015-0235)" = $(rpm -q glibc | wc -l) && echo ok || echo 'not ok' | grep -c CVE-
not ok
#
I don't want to update repository..Can somebody give a download and install solution manually
is this for RHEL5.x86 32 bit packaes? I did not see glibc-common package for RHEL.x86 32 bits.
glibc-2.5-123.el5_11.1.i686.rpm
If the install is on a 64 bit version of RHEL, then is also required. But the 32-bit version of glibc-common isn't required.
For further queries, kindly open a case with us.
So I am on 6.4 . If I run the command "yum update glibc" it will put me at 6.6? also is this the correct update syntax?
Running "yum update glibc" will update to the latest glibc pakages in the RHEL6 channel. Yes it will put glibc at RHEL6 and the syntax is correct.
If you run into any isssues, please open a support ticket.
No, RHEL 6.6 consists of a list of other packages and not just glibc.
Related information:
https://access.redhat.com/solutions/92383
Yes, that is the correct syntax.
Can you please confirm that a reboot is completely necessary to close this vulnerability? We have a very large environment so do not wish to be rebooting unless its completely necessary.
In fact, only the services that use glibc needs to be restarted.
Since a majority of the system services and processes makes use of it, it's better to go for a reboot, rather than identify and restarting every service.
And how critical is it that the services are restarted? It is sufficient to just update the rpms and reboot at a later date?
Hi Anne-Marie,
The system remains potentially vulnerable until the services are restarted (the new, fixed, version of glibc will only be used with newly started services).
All, Is it better to have a shell script that checks a version number or a binary that actually attempts the exposure?
Might be fodder for exploit-kiddies, but the mere version check involves trust, and the compiled binary confirms the remediation.
$,02222222,,,
Hi Red Hat,
I ran your new script, it states I am vulnerable, but yet, my latest glibc is indeed version 2.5-123 ? I noticed in the new script, you're querying changelog ! So basically if I patched a month ago, and I am current on 5.11 or 6.6, I should be ok ? Correct ?
This fix came after the release of RHEL5.11 and RHEL6.6.
If the system was patched a month back, then the system is still vulnerable because the fix was released a day ago.
The fix in RHEL5 is in "glibc-2.5-123.el5_11.1". The package "glibc-2.5-123" doesn't have the fix to the issue.
Pages