The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

New Critical GLibc Vulnerability CVE-2015-0235 (aka GHOST)

Discussion in 'Security' started by RH1, Jan 27, 2015.

Tags:
  1. RH1

    RH1 Member

    Joined:
    Nov 9, 2004
    Messages:
    10
    Likes Received:
    0
    Trophy Points:
    1
    https://isc.sans.edu/diary/New+Critical+GLibc+Vulnerability+CVE-2015-0235+(aka+GHOST)/19237

    Qualys discovered a critical buffer overflow in the gethostbyname() and gethostbyname2() functions in glibc. According to the announcement by Qualys, they were able to create an in-house exploit that will execute arbitrary code via the Exim mail server. [1]

    glibc before version 2.18 (released August ) is vulnerable. You can quickly check your glibc version by using "ldd --version" (but not all Unix systems that use glibc have ldd installed, and some software is statically compiled with glibc)

    Running rpm -qa | grep glib gives the following
    ldd (GNU libc) 2.12

    Running rpm -qa | grep glib gives the following

    glibc-common-2.12-1.149.el6_6.4.i686
    glibc-static-2.12-1.149.el6_6.4.i686
    dbus-glib-0.86-6.el6.i686
    glib2-2.28.8-4.el6.i686
    glibc-devel-2.12-1.149.el6_6.4.i686
    glibc-headers-2.12-1.149.el6_6.4.i686
    cpanel-glib-2.22.5-2.cp1136.i386
    glibc-2.12-1.149.el6_6.4.i686

    It appears cpanel servers are vulnerable?
    Any update
     
  2. Infopro

    Infopro cPanel Sr. Product Evangelist
    Staff Member

    Joined:
    May 20, 2003
    Messages:
    14,468
    Likes Received:
    196
    Trophy Points:
    63
    Location:
    Pennsylvania
    cPanel Access Level:
    Root Administrator
    Twitter:
  3. Venomous21

    Venomous21 Well-Known Member

    Joined:
    Jun 28, 2012
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    I've read all these articles and I'm a bit confused. I run x86_64 centos 5.11.

    I ran the rpm -q --changelog glibc | grep CVE-2015-0235 command which returned no results. I also ran yum upgrade, which found no updated packages, even though I received a mailing from CentOS at 6pm EST today (about 1hr20min ago) referencing this article, which is obviously redhat https://rhn.redhat.com/errata/RHSA-2015-0090.html

    Is it possible the mirrors are still syncing which is why yum upgrade hasn't found the package yet?

    The output of rpm -q glibc reports:

    glibc-2.5-123
    glibc-2.5-123


    Is this the same as the reported fixed version on the red hat article: glibc-2.5-123.el5_11.1.x86_64.rpm
    I'm centOS 5_11...my question is the .1 at the end meaning this is the first release or is there a release 0? Basically I'm asking, are my installed packages the same?

    According to the openwall article, the issue was patched between version 2.17 and 2.18...if that's true, that would mean > version 2.18 is not vulnerable..if that's the case, why is emergency version 2.5-123 being pushed out today?

    According to rpm -qi glibc, my version was built and installed in September, 2014.

    Bit confused, appreciate any advice and clarity.

    P.S. Output of this command:

    [/var/log]# rpm -qa | grep glib (I assume glib is not affected...)
    glibc-common-2.5-123
    glib-1.2.10-20.el5
    glib-1.2.10-20.el5
    cpanel-glib-2.22.5-2.cp1136
    glibc-2.5-123
    glibc-devel-2.5-123
    glib2-2.12.3-4.el5_3.1
    glibc-devel-2.5-123
    glibc-headers-2.5-123
    vzdummy-glibc-1.0-1.swsoft
    glib2-2.12.3-4.el5_3.1
    glibc-2.5-123

    I run a VPS, should I contact my hosting provider to update vzdummy if necessary or will the updated glibc packages be enough?

    - - - Updated - - -

    I ran the latest updated commands in your article:

    yum clean all ; yum update glibc

    rpm -q --changelog glibc | grep CVE-2015-0235

    Nothing updated and the command did not mention it was installed. Will check a couple other servers now.
     
  4. Venomous21

    Venomous21 Well-Known Member

    Joined:
    Jun 28, 2012
    Messages:
    70
    Likes Received:
    0
    Trophy Points:
    6
    cPanel Access Level:
    Root Administrator
    Quick update, CentOS is finally pushing out the updates to the mirrors.
     
  5. adtastichosting

    adtastichosting Active Member

    Joined:
    Sep 13, 2008
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
    I have the same issue on 2 servers that after running yum clean all ; yum update glibc says no packages are marked for update. I was able to update our 3 dedicated servers no problem but these 2 are older VPS servers running centos 5.9. Any comments or ideas here?
     
  6. avibodha

    avibodha Member

    Joined:
    Mar 23, 2013
    Messages:
    9
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Some WHM / cPanel vendors (wiredtree) point to their Centos repo instead of using mirrors.

    To get the update now, point your Centos base repo to the main one and comment out theirs.

    in /etc/yum.repos.d/CentOS-Base.repo, under [Updates],
    comment out this line (and any mirrorlist= lines):
    # baseurl=http://mirror.wiredtree.com/centos/$releasever/os/$basearch/
    add
    baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/

    then do
    yum update glibc
     
  7. adtastichosting

    adtastichosting Active Member

    Joined:
    Sep 13, 2008
    Messages:
    31
    Likes Received:
    0
    Trophy Points:
    6
  8. andyf

    andyf Well-Known Member

    Joined:
    Jan 7, 2002
    Messages:
    246
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    UK
    It would appear (would be nice to get confirmation from cPanel on this) that the configuration utilised by cPanel is not vulnerable to this particular Exim PoC shown by Qualys, as the HELO hostname provided by the client is not verified by DNS resolution at any stage. As for the remainder of Exim DNS operations, this was their brief take on that:

    Nevertheless, libc is used everywhere and you absolutely should update glibc packages and restart all services that use libc (or, if possible, a more comprehensive approach is to restart the system).
     
  9. jdlightsey

    jdlightsey Perl Developer III
    Staff Member

    Joined:
    Mar 6, 2007
    Messages:
    126
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Houston Texas
    cPanel Access Level:
    Root Administrator
    It's very difficult to be certain with EXIM.

    cPanel's configurations does not set the particular EXIM configuration options that Qualys focused on, but cPanel does heavily customize EXIM and hooks lots of custom functionality into it. It's best to assume that between cPanel's Perl code hooked into Exim, SpamAssassin, ClamAV, Mailman, and common custom email filters, that injection points in the email subsystems will be found once the proof of concept code is released.
     
  10. StuartMacfarlane

    Joined:
    Jun 24, 2010
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    If you are using PHP 5.4, 5.5 or even 5.6 and have any applications using the "gethostbyname" function then these would also be considered vulnerable subject to penetration testing being done.

    CentOS has not yet released the patch however RedHat has so it won't be long till it comes down from the upstream.
     
  11. jdlightsey

    jdlightsey Perl Developer III
    Staff Member

    Joined:
    Mar 6, 2007
    Messages:
    126
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    Houston Texas
    cPanel Access Level:
    Root Administrator
  12. kalexanakis

    kalexanakis Member

    Joined:
    Feb 3, 2006
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Hello

    I run
    and I got
    at all my cpanel servers, so they are already patched.

    Do I have to restart every system nevertheless?
     
  13. StuartMacfarlane

    Joined:
    Jun 24, 2010
    Messages:
    7
    Likes Received:
    0
    Trophy Points:
    1
    Because this has updated glibc it is being advised that a reboot happens of the server to make sure all running applications notice the patch.
     
  14. gdprojects

    gdprojects Registered

    Joined:
    Feb 6, 2013
    Messages:
    2
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Hi

    I'm not sure if I'm protected either:

    [~]# ldd --version
    ldd (GNU libc) 2.12
    Copyright (C) 2010 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions. There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    Written by Roland McGrath and Ulrich Drepper.


    Have run:

    # yum clean all
    # yum update
    # reboot

    Still showing 2.12 as a version number.
     
  15. quizknows

    quizknows Well-Known Member

    Joined:
    Oct 20, 2009
    Messages:
    942
    Likes Received:
    57
    Trophy Points:
    28
    cPanel Access Level:
    DataCenter Provider
    You are probably fine but check your RPM change log to be sure:

    Code:
    [root@new ~]# rpm -q --changelog glibc |head
    * Mon Jan 19 2015 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.12-1.149.5
    - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533).
    
    * Wed Dec 10 2014 Carlos O'Donell <carlos@redhat.com> - 2.12-1.149.4
    - Fix recursive dlopen() (#1173469).
    
    * Tue Dec 09 2014 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.12-1.149.3
    - Fix typo in res_send and res_query (#rh1172023).
    
    * Tue Dec 09 2014 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.12-1.149.2
    
    

    As long as you see the line with CVE-2015-0235 in the output that means that your version is patched (backported) for this vulnerability. Alternate command:

    Code:
    [root@new ~]# rpm -q --changelog glibc |grep CVE-2015-0235
    - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533).
    - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533).
    
     
Loading...
Similar Threads - Critical GLibc Vulnerability
  1. nightaddix
    Replies:
    5
    Views:
    1,356

Share This Page