Ghost vulnerability

Public Date:
Updated -
Status
Resolved
Impact
Critical

Red Hat Product Security has been made aware of a critical vulnerability in the glibc library, which has been assigned CVE-2015-0235 and is commonly referred to as 'GHOST'. All versions of glibc shipped with all variants of Red Hat Enterprise Linux are affected.

Background

GHOST is a 'buffer overflow' bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application.

Exploitation

The gethostbyname() function calls are used for DNS resolving, which is a very common event. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution.

Additional Information

All versions of glibc shipped with all variants of Red Hat Enterprise Linux are affected.

  • Red Hat Enterprise Linux Server 5
  • Red Hat Enterprise Linux Server (v. 6)
  • Red Hat Enterprise Linux Server (v. 7)
  • Red Hat Enterprise Linux Desktop 5
  • Red Hat Enterprise Linux Desktop 6
  • Red Hat Enterprise Linux Desktop 7
  • Red Hat Enterprise Linux HPC Node 6
  • Red Hat Enterprise Linux HPC Node 7
  • Red Hat Enterprise Linux Workstation 6
  • Red Hat Enterprise Linux Workstation 7
  • Red Hat Enterprise Linux Server EUS (v. 6.6)
  • Red Hat Enterprise Linux Server EUS (v. 6.5)
  • Red Hat Enterprise Linux Server EUS (v. 6.4)
  • Red Hat Enterprise Linux Server EUS (v. 5.9)
  • Red Hat Enterprise Linux ELS (v. 4)*

*An active ELS subscription is required for access to this patch in RHEL 4. Please contact Red Hat sales or your specific sales representative for more information if your account does not have an active ELS subscription.

What is the Red Hat Enterprise Linux Extended Life Cycle Support Add-On (ELS)?

As a Red Hat customer, the easiest way to check for the vulnerability or confirm remediation is the Red Hat Access Lab: GHOST - gethostbyname Detector. Please make sure that you have installed the correct version prior and if you are downloading the package for RHEL 4, you must be subscribed to the ELS channel or have downloaded the ELS version of the package. The RHEL 4 non-ELS subscription version will cause a "vulnerable" message.

Step 1

Update the glibc and nscd packages on your system using the packages released with the following errata:

Product variant Advisory / package update
Red Hat Enterprise Linux Server 5 RHSA-2015:0090
Red Hat Enterprise Linux Server 6 RHSA-2015:0092
Red Hat Enterprise Linux Server 7 RHSA-2015:0092
Red Hat Enterprise Linux Desktop 5 RHSA-2015:0090
Red Hat Enterprise Linux Desktop 6 RHSA-2015:0092
Red Hat Enterprise Linux Desktop 7 RHSA-2015:0092
Red Hat Enterprise Linux HPC Node 6 RHSA-2015:0092
Red Hat Enterprise Linux HPC Node 7 RHSA-2015:0092
Red Hat Enterprise Linux Workstation 6 RHSA-2015:0092
Red Hat Enterprise Linux Workstation 7 RHSA-2015:0092
Red Hat Enterprise Linux Server EUS 6.6 RHSA-2015:0092
Red Hat Enterprise Linux Server EUS 6.5 RHSA-2015:0099
Red Hat Enterprise Linux Server EUS 6.4 RHSA-2015:0099
Red Hat Enterprise Linux Server EUS 5.9 RHSA-2015:0099
Red Hat Enterprise Linux ELS (v. 4)* RHSA-2015:0101

*An active ELS subscription is required for access to this patch in RHEL 4. Contact sales for more information on acquiring an ELS.

Step 2

Reboot the system or restart all affected services:

Because this vulnerability affects a large amount of applications on the system, the safest and recommended way to assure every application uses the updated glibc packages is to restart the system.

In case you are unable to restart the entire system after applying the update, execute the following command to list all running processes (not restricted to services) still using the old [in-memory] version of glibc on your system.

lsof +c0 -d DEL | awk 'NR==1 || /libc-/ {print $2,$1,$4,$NF}' | column -t

													

From the resulting list, identify the public-facing services and restart them. While this process may work as a temporary workaround, it is not supported by Red Hat and, should a problem arise, you will be requested to reboot the system before any troubleshooting begins.

Step 3

Confirm remediation by using the Red Hat Access Lab: GHOST-gethostbyname Detector (also see the Diagnose tab on this page).

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In