New Critical GLibc Vulnerability CVE-2015-0235 (aka GHOST)

RH1

Member
Nov 9, 2004
11
0
151
https://isc.sans.edu/diary/New+Critical+GLibc+Vulnerability+CVE-2015-0235+(aka+GHOST)/19237

Qualys discovered a critical buffer overflow in the gethostbyname() and gethostbyname2() functions in glibc. According to the announcement by Qualys, they were able to create an in-house exploit that will execute arbitrary code via the Exim mail server. [1]

glibc before version 2.18 (released August ) is vulnerable. You can quickly check your glibc version by using "ldd --version" (but not all Unix systems that use glibc have ldd installed, and some software is statically compiled with glibc)

Running rpm -qa | grep glib gives the following
ldd (GNU libc) 2.12

Running rpm -qa | grep glib gives the following

glibc-common-2.12-1.149.el6_6.4.i686
glibc-static-2.12-1.149.el6_6.4.i686
dbus-glib-0.86-6.el6.i686
glib2-2.28.8-4.el6.i686
glibc-devel-2.12-1.149.el6_6.4.i686
glibc-headers-2.12-1.149.el6_6.4.i686
cpanel-glib-2.22.5-2.cp1136.i386
glibc-2.12-1.149.el6_6.4.i686

It appears cpanel servers are vulnerable?
Any update
 

Venomous21

Well-Known Member
Jun 28, 2012
85
0
6
cPanel Access Level
Root Administrator
I've read all these articles and I'm a bit confused. I run x86_64 centos 5.11.

I ran the rpm -q --changelog glibc | grep CVE-2015-0235 command which returned no results. I also ran yum upgrade, which found no updated packages, even though I received a mailing from CentOS at 6pm EST today (about 1hr20min ago) referencing this article, which is obviously redhat https://rhn.redhat.com/errata/RHSA-2015-0090.html

Is it possible the mirrors are still syncing which is why yum upgrade hasn't found the package yet?

The output of rpm -q glibc reports:

glibc-2.5-123
glibc-2.5-123


Is this the same as the reported fixed version on the red hat article: glibc-2.5-123.el5_11.1.x86_64.rpm
I'm centOS 5_11...my question is the .1 at the end meaning this is the first release or is there a release 0? Basically I'm asking, are my installed packages the same?

According to the openwall article, the issue was patched between version 2.17 and 2.18...if that's true, that would mean > version 2.18 is not vulnerable..if that's the case, why is emergency version 2.5-123 being pushed out today?

According to rpm -qi glibc, my version was built and installed in September, 2014.

Bit confused, appreciate any advice and clarity.

P.S. Output of this command:

[/var/log]# rpm -qa | grep glib (I assume glib is not affected...)
glibc-common-2.5-123
glib-1.2.10-20.el5
glib-1.2.10-20.el5
cpanel-glib-2.22.5-2.cp1136
glibc-2.5-123
glibc-devel-2.5-123
glib2-2.12.3-4.el5_3.1
glibc-devel-2.5-123
glibc-headers-2.5-123
vzdummy-glibc-1.0-1.swsoft
glib2-2.12.3-4.el5_3.1
glibc-2.5-123

I run a VPS, should I contact my hosting provider to update vzdummy if necessary or will the updated glibc packages be enough?

- - - Updated - - -

I ran the latest updated commands in your article:

yum clean all ; yum update glibc

rpm -q --changelog glibc | grep CVE-2015-0235

Nothing updated and the command did not mention it was installed. Will check a couple other servers now.
 

adtastichosting

Active Member
Sep 13, 2008
32
1
58
Quick update, CentOS is finally pushing out the updates to the mirrors.
I have the same issue on 2 servers that after running yum clean all ; yum update glibc says no packages are marked for update. I was able to update our 3 dedicated servers no problem but these 2 are older VPS servers running centos 5.9. Any comments or ideas here?
 

avibodha

Member
Mar 23, 2013
11
1
1
cPanel Access Level
Root Administrator
Some WHM / cPanel vendors (wiredtree) point to their Centos repo instead of using mirrors.

To get the update now, point your Centos base repo to the main one and comment out theirs.

in /etc/yum.repos.d/CentOS-Base.repo, under [Updates],
comment out this line (and any mirrorlist= lines):
# baseurl=http://mirror.wiredtree.com/centos/$releasever/os/$basearch/
add
baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/

then do
yum update glibc
 

andyf

Well-Known Member
Jan 7, 2002
249
0
316
UK
It would appear (would be nice to get confirmation from cPanel on this) that the configuration utilised by cPanel is not vulnerable to this particular Exim PoC shown by Qualys, as the HELO hostname provided by the client is not verified by DNS resolution at any stage. As for the remainder of Exim DNS operations, this was their brief take on that:

We believe, based on rather hurried analysis, that every other
configuration option in Exim which might use "gethostbyname()" will use
a newer set of functions if available, and not explicitly disabled by
your OS packagers when building Exim.
Nevertheless, libc is used everywhere and you absolutely should update glibc packages and restart all services that use libc (or, if possible, a more comprehensive approach is to restart the system).
 

jdlightsey

Perl Developer III
Staff member
Mar 6, 2007
126
2
243
Houston Texas
cPanel Access Level
Root Administrator
It's very difficult to be certain with EXIM.

cPanel's configurations does not set the particular EXIM configuration options that Qualys focused on, but cPanel does heavily customize EXIM and hooks lots of custom functionality into it. It's best to assume that between cPanel's Perl code hooked into Exim, SpamAssassin, ClamAV, Mailman, and common custom email filters, that injection points in the email subsystems will be found once the proof of concept code is released.
 
Jun 24, 2010
7
0
51
If you are using PHP 5.4, 5.5 or even 5.6 and have any applications using the "gethostbyname" function then these would also be considered vulnerable subject to penetration testing being done.

CentOS has not yet released the patch however RedHat has so it won't be long till it comes down from the upstream.
 
Jun 24, 2010
7
0
51
Because this has updated glibc it is being advised that a reboot happens of the server to make sure all running applications notice the patch.
 

gdprojects

Registered
Feb 6, 2013
2
0
1
cPanel Access Level
Root Administrator
Hi

I'm not sure if I'm protected either:

[~]# ldd --version
ldd (GNU libc) 2.12
Copyright (C) 2010 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.


Have run:

# yum clean all
# yum update
# reboot

Still showing 2.12 as a version number.
 

quizknows

Well-Known Member
Oct 20, 2009
1,008
87
78
cPanel Access Level
DataCenter Provider
You are probably fine but check your RPM change log to be sure:

Code:
[[email protected] ~]# rpm -q --changelog glibc |head
* Mon Jan 19 2015 Siddhesh Poyarekar <[email protected]> - 2.12-1.149.5
- Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533).

* Wed Dec 10 2014 Carlos O'Donell <[email protected]> - 2.12-1.149.4
- Fix recursive dlopen() (#1173469).

* Tue Dec 09 2014 Siddhesh Poyarekar <[email protected]> - 2.12-1.149.3
- Fix typo in res_send and res_query (#rh1172023).

* Tue Dec 09 2014 Siddhesh Poyarekar <[email protected]> - 2.12-1.149.2

As long as you see the line with CVE-2015-0235 in the output that means that your version is patched (backported) for this vulnerability. Alternate command:

Code:
[[email protected] ~]# rpm -q --changelog glibc |grep CVE-2015-0235
- Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533).
- Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533).