New vulnerability in GLIBC - GHOST (CVE-2015-0235)

ElixantTechnology

New member
Joined
Nov 26, 2014
Messages
622
Points
0
As you may have already heard, a high severity vulnerability affecting Linux GNU C Library (glibc) was announced this morning. The vulnerability known as GHOST (CVE-2015-0235) affects many systems built on Linux starting with glibc-2.2 as well as Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04, and allows attackers to remotely take control of an entire system without having any prior knowledge of system credentials.

The following was sent out on behalf of Exim:

Today CVE-2015-0235 was released, concerning a memory mismanagement
vulnerability in glibc's "gethostbyname" functions. This software is
the most common provider of "libc" on GNU/Linux systems, outside of the
embedded space. If you're running Exim on GNU/Linux and don't know
otherwise, assume that you are using glibc to provide much of the base
operating system functionality and that you are affected by this
problem. The latest versions of glibc are not affected, but for clarity
you should check with your OS vendor.

The exploit announcement is up at:
[URLnf=http://www.openwall.com/lists/oss-security/2015/01/27/9]http://www.openwall.com/lists/oss-security/2015/01/27/9[/URLnf]
and we'd like to thank Qualys for being exceptionally responsible and
trying to provide us with advance notification that Exim would be
discussed as an exploit vector; unfortunately, the details leaked, they
had to move more quickly than they had planned and we've been left
playing catch-up; we're sorry that this announcement from the Exim
Maintainers is so tardy.

Because glibc is a library, flaws are exposed in applications which use
those functions, so many different programs are affected. Exim was
chosen by the researchers as one widespread possible attack vector, and
they have been able to use this to be able to perform a "remote code
execution" attack against Exim, under certain circumstances.

The best fix is to install security fixes for glibc from your vendor,
and then restart any network services such as Exim.

If you can not sufficiently expedite such changes, then for this one
specific attack vector as outlined in the security advisory, you can
turn off use of the broken library functions by Exim's HELO/EHLO
handling; this does not protect you from other uses of those functions
by Exim, nor does it protect other products. Details below.

The impact of an exploit is to be able to run arbitrary machine code as
the Exim run-time user: the user which handles incoming SMTP
connections. This is typically a user called "exim" (or "_exim" or
"mailnull" or something else chosen by your OS vendor). For a number of
releases now, Exim's code has explicitly blocked ill-advised attempts to
build it with "root" as the run-time user, to limit the consequences of
flaws such as this latest one. Taking over your machine entirely would
require a privilege escalation attack from the Exim run-time user to
root, but attackers just getting a foothold is likely to be sufficiently
painful for you.

To protect Exim against the HELO/EHLO attack vector, do *not* set either
of these in the main configuration:

helo_verify_hosts
helo_try_verify_hosts

and do *not* use the following in any ACLs:

verify = helo

We believe, based on rather hurried analysis, that every other
configuration option in Exim which might use "gethostbyname()" will use
a newer set of functions if available, and not explicitly disabled by
your OS packagers when building Exim.
Updated glibc packages that fix one security issue are now available for RHEL & CentOS, and you can patch the vulnerability by executing the following command via SSH:

yum update glibc

NOTE: NO reboot will be required with installation of this patch. It is always recommended to keep your system's software up to date.
 

Hassan

New member
Joined
Nov 11, 2014
Messages
706
Points
0
CentOS:

The exploit is fixed in glibc-2.12-1.149.el6

Update glibc


To mitigate the issue, please update to the latest version of glibc:
Code:
yum clean all && yum update "glibc*"
Version glibc-2.12-1.149.el6 and up is not affected, so be sure you are at this patch level. If your yum repository does not have this update yet, it may still be rsyncing, or yet to rsync.

[URLnf=https://www.centosblog.com/critical-glibc-remote-vulnerability-exploit-ghost-patch-glibc-now/]https://www.centosblog.com/critical-glibc-remote-vulnerability-exploit-ghost-patch-glibc-now/[/URLnf]

After glibc update you should restart all the services (which use the lib), or reboot a server.
 

Inquestor

Well-known member
Joined
Feb 1, 2013
Messages
495
Points
63
Thank you both!

I have a few servers running both Ubuntu 12.04 and CentOS 5.11. I am updating these now!

:buba:
 
Older threads
Replies
7
Views
3,716
Replies
2
Views
3,040
Replies
2
Views
3,039
Latest threads
Replies
4
Views
27
Replies
2
Views
40
Replies
5
Views
37
Recommended threads

Referral contests

Referral link for :

Sponsors

Popular tags

You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an alternative browser.

Top