Retired: This application is now retired.

GHOST (CVE-2015-0235) - gethostbyname Detector

Updated -

This script helps you confirm whether your system is susceptible to GHOST.

UPDATE: A new version of the detector script is now available that resolves the existing problems reported in this thread.

Comments

Subscriber exclusive content

An active Red Hat subscription is required to participate.

Log In
rh Red Hat Pro 524 points
27 January 2015 11:56 PM

The current script is incorrect:

[simathew@simathew ~]$ cat /etc/redhat-release 
Red Hat Enterprise Linux Workstation release 6.3 (Santiago)
[simathew@simathew ~]$ uname -a
Linux simathew.csb 2.6.32-279.19.1.el6.x86_64 #1 SMP Sat Nov 24 14:35:28 EST 2012 x86_64 x86_64 x86_64 GNU/Linux
[simathew@simathew ~]$ rpm -q glibc
glibc-2.12-1.149.el6_6.5.x86_64
glibc-2.12-1.149.el6_6.5.i686
[simathew@simathew ~]$ 
[simathew@simathew ~]$ sh GHOST-test.sh 
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Detected glibc version 2.12-1
This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Please refer to <https://access.redhat.com/articles/1332213> for remediation steps
[simathew@simathew ~]$

It requires the following chages:

[simathew@simathew ~]$ diff GHOST-test.sh GHOST.sh 
40a41
> echo "Vulnerable glibc version <=" $glibc_vulnerable_version3"-"$glibc_vulnerable_revision3
43c44
< glibc_revision=$(rpm -q glibc | awk -F"[-.]" '{print $4}' | sort -u)
---
> glibc_revision=$(rpm -q glibc | awk -F"[-.]" '{print $5}' | sort -u)
[simathew@simathew ~]$

After modification:

[simathew@simathew ~]$ sh GHOST.sh 
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-148
Detected glibc version 2.12-149
Not Vulnerable.
[simathew@simathew ~]$
IU
28 January 2015 2:00 AM

Thanks for the diff. That fixes EL6, but breaks EL5. I don't have an EL7 to test, but following diff works on 5 & 6:

$ diff -U 0 GHOST-test.sh.orig GHOST-test.sh
--- GHOST-test.sh.orig 2015-01-27 18:50:11.899497404 -0600
+++ GHOST-test.sh 2015-01-27 19:55:36.059068391 -0600
@@ -40,0 +41 @@
+echo "Vulnerable glibc version <=" $glibc_vulnerable_version3"-"$glibc_vulnerable_revision3
@@ -43 +44,4 @@
-glibc_revision=$(rpm -q glibc | awk -F"[-.]" '{print $4}' | sort -u)
+test $glibc_version = '2.5' && \
+ glibc_revision=$(rpm -q glibc | awk -F"[-.]" '{print $4}' | sort -u)
+test $glibc_version = '2.12' && \
+ glibc_revision=$(rpm -q glibc | awk -F"[-.]" '{print $5}' | sort -u)

Cheers.

rh Red Hat Pro 524 points
28 January 2015 3:02 AM

How about this, which has been tested in EL5, EL6 and EL7:

[simathew@simathew ~]$ diff -U 0 GHOST-test.sh GHOST.sh 
--- GHOST-test.sh   2015-01-28 05:22:08.621142402 +0530
+++ GHOST.sh    2015-01-28 07:49:51.319118087 +0530
@@ -40,0 +41 @@
+echo "Vulnerable glibc version <=" $glibc_vulnerable_version3"-"$glibc_vulnerable_revision3
@@ -43 +44,6 @@
-glibc_revision=$(rpm -q glibc | awk -F"[-.]" '{print $4}' | sort -u)
+if [ "$(rpm -q glibc | grep -o 'el6' | head -1)" == "el6" ]
+then
+   glibc_revision=$(rpm -q glibc | awk -F"[-.]" '{print $5}' | sort -u)
+else
+   glibc_revision=$(rpm -q glibc | awk -F"[-.]" '{print $4}' | sort -u)
+fi
[simathew@simathew ~]$

Please find below the outputs for reference:

EL5

sibu@dhcp223-56 ~]$ rpm -q glibc
glibc-2.5-123.el5_11.1
glibc-2.5-123.el5_11.1
[sibu@dhcp223-56 ~]$ sh GHOST.sh 
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-148
Detected glibc version 2.5-123
Not Vulnerable.
[sibu@dhcp223-56 ~]$

EL6

[simathew@simathew ~]$ rpm -q glibc
glibc-2.12-1.149.el6_6.5.x86_64
glibc-2.12-1.149.el6_6.5.i686
[simathew@simathew ~]$ 
[simathew@simathew ~]$ sh GHOST.sh 
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-148
Detected glibc version 2.12-149
Not Vulnerable.
[simathew@simathew ~]$

EL7
~~~~~~
[sibu@dhcp223-81 ~]$ rpm -q glibc
glibc-2.17-55.el7_0.5.x86_64
[sibu@dhcp223-81 ~]$
[sibu@dhcp223-81 ~]$ sh GHOST.sh
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-148
Detected glibc version 2.17-55
Not Vulnerable.
[sibu@dhcp223-81 ~]$
~~~~~~~

DV Red Hat Newbie 5 points
28 January 2015 3:53 PM

This script has been rewritten to avoid checking for specific versions which vary across major and extended releases. Sorry for any inconvenience this may have caused.

SL Community Member 28 points
28 January 2015 12:45 AM

This script appears to be broken. It does not check the Release version numbers correctly across all versions of RHEL server. Thus, it marks unpatched hosts as patched (RHEL7 & RHEL5) while marking RHEL6 hosts as vulnerable.
e.g.
RHEL7:
Version : 2.17
Release : 55.el7_0.3
is marked as patched when in fact only version 55.el7_05 is patched. The script only checks for the presence of "55".

DV Red Hat Newbie 5 points
28 January 2015 3:56 PM

This script has been rewritten to avoid checking for specific versions which vary across major and extended releases. Sorry for any inconvenience this may have caused.

BE Community Member 49 points
28 January 2015 1:08 AM

You should mention, that the script does not "test if system is vulnerable" but only "test if system has a known bad version of libc".

jo Newbie 4 points
28 January 2015 1:25 AM

RHEL 6 false positive

[root@labntrn035]~# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 6.4 (Santiago)
[root@labntrn035]~# rpm -q glibc --queryformat "%{name}-%{version}-%{release}.%{arch}\n"
glibc-2.12-1.149.el6_6.5.x86_64
glibc-2.12-1.149.el6_6.5.i686
[root@labntrn035]~# /var/tmp/GHOST-test.sh
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Detected glibc version 2.12-1
This system is vulnerable to CVE-2015-0235. https://access.redhat.com/security/cve/CVE-2015-0235
Please refer to https://access.redhat.com/articles/1332213 for remediation steps

yj Community Member 57 points
28 January 2015 2:00 AM

why not?

[root@localhost ~]# rpm -qa glibc
glibc-2.12-1.149.el6_6.5.x86_64 <== patch version?

[root@localhost ~]# ./GHOST-test.sh
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Detected glibc version 2.12-1
This system is vulnerable to CVE-2015-0235. https://access.redhat.com/security/cve/CVE-2015-0235
Please refer to https://access.redhat.com/articles/1332213 for remediation steps
[root@localhost ~]#

glibc_version=$(rpm -q glibc | awk -F"[-.]" '{print $2"."$3}' | sort -u)
glibc_revision=$(rpm -q glibc | awk -F"[-.]" '{print $4}' | sort -u) <== miss version check?

RD
28 January 2015 2:23 AM

This tool does not seem to work for RHEL 6 systems. I applied the Errata updates that purport to fix this bug (by upgrading glibc to glibc-2.12-1.149.el6_6.5.x86_64, RHSA-2015:0092-1 ( https://rhn.redhat.com/errata/RHSA-2015-0092.html )) and yet this tool still reports the system as vulnerable. Perhaps this is because it only checks the version number on the RPM, not for the actual vulnerability? Please let me know if my system is still vulnerable or your tool is not working.

RD
28 January 2015 3:12 AM

Ok, I saw the patches to this after submitting my comment, noticing the "See comments" link in the hidden section of the page, and then coming here. This is not a professional way to distribute software and reflects poorly on RedHat. RedHat: Please act professionally -- apply the patches to the version of the script people download from the front page (https://access.redhat.com/labsinfo/ghost), rather than expecting them to find the buried link to the comments section, laboriously read through them, then apply the patch themselves.

DV Red Hat Newbie 5 points
28 January 2015 3:56 PM

This script has been rewritten to avoid checking for specific versions which vary across major and extended releases. Sorry for any inconvenience this may have caused.

FY Community Member 24 points
28 January 2015 3:14 AM

Can we count on this script? Looks like system with existing updates are not affected.

SG
28 January 2015 3:33 AM

nm, comments should be displayed by default. Ridiculous.

EF Community Member 31 points
28 January 2015 7:42 AM

This is so broken...
Having a script that informs you that all is swell is worse than having no script at all.
You need to take down this script ASAP until you can find a proper fix for it.

This patch fixes the script for us, EL5/6/7

--- GHOST-test.sh   2015-01-28 08:42:07.816793000 +0100
+++ REAL-GHOST-test.sh  2015-01-28 08:42:01.201186000 +0100
@@ -31,23 +31,33 @@
 }

 glibc_vulnerable_version=2.17
-glibc_vulnerable_revision=54
+glibc_vulnerable_revision=55
+glibc_vulnerable_minor=0.4
+
 glibc_vulnerable_version2=2.5
-glibc_vulnerable_revision2=122
+glibc_vulnerable_revision2=123
+glibc_vulnerable_minor2=11.0
+
 glibc_vulnerable_version3=2.12
-glibc_vulnerable_revision3=148
-echo "Vulnerable glibc version <=" $glibc_vulnerable_version"-"$glibc_vulnerable_revision
-echo "Vulnerable glibc version <=" $glibc_vulnerable_version2"-"$glibc_vulnerable_revision2
-echo "Vulnerable glibc version <=" $glibc_vulnerable_version3"-1."$glibc_vulnerable_revision3
+glibc_vulnerable_revision3=149
+glibc_vulnerable_minor3=6.4
+
+echo "Vulnerable glibc version <=" $glibc_vulnerable_version"-"$glibc_vulnerable_revision"-"$glibc_vulnerable_minor
+echo "Vulnerable glibc version <=" $glibc_vulnerable_version2"-"$glibc_vulnerable_revision2"."$glibc_vulnerable_minor2
+echo "Vulnerable glibc version <=" $glibc_vulnerable_version3"-1."$glibc_vulnerable_revision3"."$glibc_vulnerable_minor3

 glibc_version=$(rpm -q glibc | awk -F"[-.]" '{print $2"."$3}' | sort -u)
 if [[ $glibc_version == $glibc_vulnerable_version3 ]]
 then
     glibc_revision=$(rpm -q glibc | awk -F"[-.]" '{print $5}' | sort -u)
+    glibc_minor=$(rpm -q glibc | awk -F"[-._]" '{print $7"."$8}' | sort -u)
+
 else
+    glibc_minor=$(rpm -q glibc | awk -F"[-._]" '{print $6"."$7}' | sort -u)
     glibc_revision=$(rpm -q glibc | awk -F"[-.]" '{print $4}' | sort -u)
 fi
-echo "Detected glibc version" $glibc_version" revision "$glibc_revision
+
+echo "Detected glibc version" $glibc_version" revision "$glibc_revision" minor "$glibc_minor

 vulnerable_text=$"This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
 Please refer to <https://access.redhat.com/articles/1332213> for remediation steps"
@@ -55,16 +65,30 @@
 if [[ $glibc_version == $glibc_vulnerable_version ]]
 then
     vercomp $glibc_vulnerable_revision $glibc_revision
+    case $? in
+   0) vercomp $glibc_vulnerable_minor $glibc_minor;;
+   1) vercomp $glibc_vulnerable_minor $glibc_minor;;
+    esac
 elif [[ $glibc_version == $glibc_vulnerable_version2 ]]
 then
     vercomp $glibc_vulnerable_revision2 $glibc_revision
+    case $? in
+   0) vercomp $glibc_vulnerable_minor2 $glibc_minor;;
+   1) vercomp $glibc_vulnerable_minor2 $glibc_minor;;
+    esac
 elif [[ $glibc_version == $glibc_vulnerable_version3 ]]
 then
     vercomp $glibc_vulnerable_revision3 $glibc_revision
+    case $? in
+   0) vercomp $glibc_vulnerable_minor3 $glibc_minor;;
+   1) vercomp $glibc_vulnerable_minor3 $glibc_minor;;
+    esac
+
 else
     vercomp $glibc_vulnerable_version $glibc_version
 fi

+
 case $? in
     0) echo "$vulnerable_text";;
     1) echo "$vulnerable_text";;
DV Red Hat Newbie 5 points
28 January 2015 3:55 PM

This script has been rewritten to avoid checking for specific versions which vary across major and extended releases. Sorry for any inconvenience this may have caused.

AI Community Member 50 points
28 January 2015 8:08 AM

Hi,

We execute script GHOST-test.sh in several of my system.
The output is "Not vulnerable".
However we execute a C program from https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt

The output of this program is "vulnerable".

Sytems:
RHEL 6.6 and kernel 2.6.32-504.1.3.el6.x86_64
GHOST-test.sh output:
Detected glibc version 2.12 revision 149
Not Vulnerable.

Which of those tests are ok?

Regards

MN
28 January 2015 8:57 AM

This script doesn't seem to detect the vulnerability correctly on RHEL6 systems

DV Red Hat Newbie 5 points
28 January 2015 3:55 PM

This script has been rewritten to avoid checking for specific versions which vary across major and extended releases. Sorry for any inconvenience this may have caused.

PS Newbie 10 points
28 January 2015 4:44 PM

Can you please add a version header into the script. So we don't have to download the script to see, if something has changed. Thanks

DV Red Hat Newbie 5 points
28 January 2015 5:23 PM

Thanks for the suggestion. I have added the version number to the page.

Michele Baldessari's picture Red Hat Expert 855 points
28 January 2015 6:35 PM

Thanks Dan, would it be possible to also add it to the script header itself? Just a comment like:

# Version 3

That way there is less confusion about which one we're running.

Thanks,
Michele

DV Red Hat Newbie 5 points
28 January 2015 6:41 PM

I have just added the version into the script itself.

hi
29 January 2015 2:33 AM

[root@localhost ~]# rpm -qa |grep glibc
glibc-common-2.12-1.149.el6_6.4.x86_64
glibc-headers-2.12-1.149.el6_6.4.x86_64
glibc-devel-2.12-1.149.el6_6.4.x86_64
glibc-2.12-1.149.el6_6.4.x86_64
[root@localhost]# ./GHOST-test.sh
Vulnerable glibc version <= 2.17-54
Vulnerable glibc version <= 2.5-122
Vulnerable glibc version <= 2.12-1.148
Detected glibc version 2.12 revision 149
Not Vulnerable.
However we execute a C program from https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
The output of this program is "vulnerable".

Is it ok to not really update?

RD
29 January 2015 3:00 AM

It looks like you aren't getting the latest RPM. In my experience glibc--2.12-1.149.el6_6.4.x86_64, will not solve the problem. It must be glibc--2.12-1.149.el6_6.5.x86_64. (**** Notice the "el6_6.5" instead of "el6_6.4" ****)

ma Active Contributor 226 points
29 January 2015 7:58 AM

Will Satellite 6 offer a more convenient way to list vulnerable systems in one go?

MJ Community Member 60 points
2 February 2015 3:32 PM

Does not work for RHEL 4 as the extended support rpms do not appear to have the CVE-2015-0235 tag in the change log

DV Red Hat Newbie 5 points
2 February 2015 3:49 PM

Greg, please ensure that you have glibc-2.3.4-2.57.el4.2. I just checked the built RPM and it does in fact have this in the changelog.

  • Mon Jan 19 2015 Siddhesh Poyarekar siddhesh@redhat.com - 2.3.4-2.57.el4.2
  • Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183608).
rh Red Hat Community Member 35 points
12 March 2015 8:51 AM

This APP is related with CVE-2015-0235, but I can't search this app by keyword "CVE-2015-0235".