Introduction
Server security vulnerabilities can expose key services and applications to attacks. One of these vulnerabilities is the GHOST vulnerability (CVE-2015-0235). This flaw was found in the GNU C Library (glibc) and impacts many Linux distributions. Since several essential services, such as SSH, Bash, and DNS-related applications, rely on glibc, it is crucial for system administrators to check if their servers are vulnerable and implement the necessary fixes. This article outlines how to check for the GHOST vulnerability and decide if your Linux server is at risk.
On Linux servers, more than 60 binaries and major services, such as SSH, Nmap, and Bash, rely on the glibc libraries. A heap-based buffer overflow was found in __nss_hostname_digits_dots(), and an attacker could use this flaw to execute arbitrary code with the privilege of the users running the application using the function gethostbyname()
Check if Your Server Is GHOST Vulnerable
If the glibc version on your server is below 2.18, your server is most exposed to this vulnerability.
You can check the glibc version on your server using the command given below.
Verify the Installed glibc Version
#ldd –version
Using the Qualys Test Program
Also, you can check if your server is vulnerable to a GHOST attack by using a program released by Qualys.
Note: Use this program at your own risk.
============
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
#define CANARY “in_the_coal_mine”
struct {
char buffer[1024];
char canary[sizeof(CANARY)];
} temp = { “buffer”, CANARY };
int main(void) {
struct hostent resbuf;
struct hostent *result;
int herrno;
int retval;
/*** strlen (name) = size_needed – sizeof (*host_addr) – sizeof (*h_addr_ptrs) – 1; ***/
size_t len = sizeof(temp.buffer) – 16*sizeof(unsigned char) – 2*sizeof(char *) – 1;
char name[sizeof(temp.buffer)];
memset(name, ‘0’, len);
name[len] = ‘\0’;
retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
if (strcmp(temp.canary, CANARY) != 0) {
puts(“vulnerable”);
exit(EXIT_SUCCESS);
}
if (retval == ERANGE) {
puts(“not vulnerable”);
exit(EXIT_SUCCESS);
}
puts(“should not happen”);
exit(EXIT_FAILURE);
}
============
- Save the above program to a file named ghostcheck.c
- Compile the program using the command given below.
#gcc ghostcheck.c -o ghostcheck
- Run the program using the command,
./ghostcheck
If your server is not exposed to risks, you will be notified with a message ‘not vulnerable’ and vice versa upon successful execution of this program.
Conclusion
The GHOST vulnerability (CVE-2015-0235) underscores the importance of regularly monitoring and updating Linux servers. Glibc is a key part used by many applications and services. An unpatched vulnerability can lead to serious security risks. By checking your glibc version and testing your server for exposure, you can spot potential threats early and take action. Regular security updates and proactive server maintenance are crucial for keeping Linux environments secure and reliable.
If you require help, contact SupportPRO Server Admin
