GHOST glibc Remote Code Execution Vulnerability Affects All Linux Systems

A critical remote code execution vulnerability in the GNU C library glibc affects all Linux systems going back to 2000.

A critical vulnerability has been found in glibc, the GNU C library, that affects all Linux systems dating back to 2000. Attackers can use this flaw to execute code and remotely gain control of Linux machines.

The issue stems from a heap-based buffer overflow found in the __nss_hostname_digits_dots() function in glibc. That particular function is used by the _gethostbyname function calls.

“A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application,” said an advisory from Linux distributor Red Hat.

The vulnerability, CVE-2015-0235, has already been nicknamed GHOST because of its relation to the _gethostbyname function. Researchers at Qualys discovered the flaw, and say it goes back to glibc version 2.2 in Linux systems published in November 2000.

According to Qualys, there is a mitigation for this issue that was published May 21, 2013 between patch glibc-2.17 versions and glibc-2.18.

“Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example,” said an advisory from Qualys posted to the OSS-Security mailing list.

Respective Linux distributions will be releasing patches; Red Hat has released an update for Red Hat Enterprise Linux v.5 server. Novell has a list of SUSE Linux Enterprise Server builds affected by the vulnerability. Debian has already released an update of its software addressing the vulnerability.

“It’s everywhere, which is kind of the urgency we have here. This has been in glibc for a long time. It was fixed recently, but it was not marked as a security issue, so things that are fairly new should be OK,” said Josh Bressers, a member of the Red Hat security response team. “From a threat level, what it comes down to is a handful of stuff that’s probably dangerous that uses this function.”

Unlike past Internet-wide bugs such as Bash, patching glibc may not be the chore it was with Bash since so many components made silent Bash calls.

“In this instance, you just apply the glibc update, and restart any services that are vulnerable,” Bressers said. “It’s not confusing like Shellshock was.”

Qualys, in its advisory, not only shares extremely in-depth technical information on the vulnerability, but also includes a section explaining exploitation of the Exim SMTP mail server. The advisory demonstrates how to bypass NX, or No-eXecute protection as well as glibc malloc hardening, Qualys said.

Qualys also said that in addition to the 2013 patch, other factors mitigate the impact of the vulnerability, including the fact that the gethostbyname functions are obsolete because of IPv6 and newer applications using a different call, getaddrinfo(). While the flaw is also exploitable locally, this scenario too is mitigated because many programs rely on gethostbyname only if another preliminary call fails and a secondary call succeeds in order to reach the overflow. The advisory said this is “impossible” and those programs are safe.

There are mitigations against remote exploitation too, Qualys said. Servers, for example, use gethostbyname to perform full-circle reverse DNS checks. “These programs are generally safe because the hostname passed to gethostbyname() has normally been pre-validated by DNS software,” the advisory.

“It’s not looking like a huge remote problem, right now,” Bressers said.

However, while the bug may have been dormant since 2000, there is no way to tell if criminals or government-sponsored hackers have been exploiting this vulnerability. Nor is there any way to tell what will happen once legitimate security researchers—and black hats—begin looking at the vulnerability now that it’s out in the open. With Bash, for example, it didn’t take long for additional security issues to rise to the surface.

Image courtesy Michal Docekal

Suggested articles


  • lugubrious affect on

    Wonder what kind of affect the system takes on, if it gets neurotic or is really affected and starts wearing a fedora.
  • jems on

    I've seen various lists of things technically 'not affected'. What are some of the common processes/servers which ARE affected?
    • CFWhitman on

      I've seen several programs listed as not affected (around thirty). So far, I've only seen one listed as affected: Exim.
  • Muhammad Saad Khan on

    At Cloudways, we have already patched 2000+ of our customer's servers before they get effected by the highly critical linux GHOST Vulnerability.
  • Talan on

    A practical thing (hope it could be helpful for anyone). You don't need to reboot the whole server after updating. If you aren't able to do this (because of critical thing runnning there, e.g.) — use this cmd which reboots only several applications that actually use vulnerable glibc: for s in $(lsof | grep libc | awk '{print $1}' | sort | uniq); do if [[ -f "/etc/init.d/$s" && "$(ps aufx | grep -v grep | grep $s)" ]]; then echo $s; service $s restart; fi; done From:
  • GordT on

    A lot of old/small tools like "ping" use gethostbyname, so apps that call ping could be affected. One would hope that the app does scrubbing before passing parameters to external programs, but too often this isn't the case.
  • hans on

    Don't forget to either restart your daemons like sshd, apache or reboot. Else these will still use the old libraries
  • jems on

    It's still not very clear on what is affected. I read in a couple places now, only Exim. Yet, other posts indicate everyone is patching everything, including things on the 'not affected' list. How exactly would/could a webserver be exploited with this?

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.