On the 27th of January 2015, a vulnerability named GHOST (CVE-2015-0235) was announced. This exploit was identified in a common linux package known as GNU C library (glibc).

An attacker who exploits this issue can gain complete control of the compromised system.

This affects most Linux flavours and most servers will be affected as this package is a common package to have installed.

The vulnerability was code named “GHOST” for easy reference.

Vulnerability Info

The “GHOST” vulnerability was due to a bug in the code of the GNU C Library package that allowed for someone to gain full access to a server if they are able to exploit the identified bug.

Depending on the server, the bug could be exploited remotely or locally through certain calls that are passed through the glibc package by varying different applications like DNS, PHP or Exim for example.

Current affected Linux distributions include:

• RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x
• CentOS Linux version 5.x, 6.x & 7.x
• Ubuntu Linux version 10.04, 12.04 LTS
• Debian Linux version 7.x
• Fedora Linux version 19 or older

Interesting note is that some flavours were not affected as the code was addressed in certain versions of the glibc package, however those fixed versions were not included in some Linux flavours.

Technical Info

For the more technical inclined the exploit exists in the “he __nss_hostname_digits_dots()” function of the glibc package.

If you would like to quickly test if your system is vulnerable you will need to run the following command as root (or user with similar permissions),

ldd --version

The output should look something like below,

ldd (GNU libc) 2.12

ldd (Ubuntu EGLIBC 2.15-0ubuntu10.9) 2.15

ldd (Debian EGLIBC 2.13-38+deb7u6) 2.13

Those versions of the glibc package are vulnerable and need to be patched.

Another more detailed test is to run a C script that actually checks for the exploit.  This is an advanced test and should only be done by users who understand C, compiling and gcc.

Create the following text file named “ghostest.c”:

/* ghosttest.c:  GHOST vulnerability tester */
/* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
 
#define CANARY "in_the_coal_mine"
 
struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };
 
int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;
 
  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';
 
  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
 
  if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
  }
  if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
  }
  puts("should not happen");
  exit(EXIT_FAILURE);
}

Compile and run it as follows:

$ gcc ghosttest.c -o ghosttest
$ ./ghosttest

You will now either get an output of either “not vulnerable” or “vulnerable”.

What We Have Done

On the 27th of January 2015, we patched all core servers, including our Shared/Reseller servers. We additionally prepared, tested and rolled out the patch to our new Managed VPS offering.

Over the past week we have patched all non-core systems.

We have prepared a Help Centre article for our VPS and Dedicated servers customers whom wanted to patch the issue themselves.

What You Should Do

If you are a self-managed VPS/Dedicated Server customer running an affected Linux flavour we recommend you take action and patch your server immediately.

We’ve prepared a Help Centre article for you to follow here.

If you are a VPS/Dedicated Server customer with the Full Management support option (or are on our new Control Panel VPS offering) please open a support ticket and we will check and patch as required.

If you are on a new Managed VPS offering, we have already patched you, and no further action is required.

Want To Know More

If you are interested to understand more about this exploit. Please see the following links:

• https://access.redhat.com/articles/1332213
• http://www.openwall.com/lists/oss-security/2015/01/27/9
• http://ma.ttias.be/critical-glibc-update-cve-2015-0235-gethostbyname-calls/
• https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt