Tutorial

How To Protect Your Linux Server Against the GHOST Vulnerability

Published on January 28, 2015
How To Protect Your Linux Server Against the GHOST Vulnerability

Introduction

On January 27, 2015, a GNU C Library (glibc) vulnerability, referred to as the GHOST vulnerability, was announced to the general public. In summary, the vulnerability allows remote attackers to take complete control of a system by exploiting a buffer overflow bug in glibc’s GetHOST functions (hence the name). Like Shellshock and Heartbleed, this vulnerability is serious and affects many servers.

The GHOST vulnerability can be exploited on Linux systems that use versions of the GNU C Library prior to glibc-2.18. That is, systems that use an unpatched version of glibc from versions 2.2 to 2.17 are at risk. Many Linux distributions including, but not limited to, the following are potentially vulnerable to GHOST and should be patched:

  • CentOS 6 & 7
  • Debian 7
  • Red Hat Enterprise Linux 6 & 7
  • Ubuntu 10.04 & 12.04
  • End of Life Linux Distributions

It is highly recommended that you update and reboot all of your affected Linux servers. We will show you how to test if your systems are vulnerable and, if they are, how to update glibc to fix the vulnerability.

Check System Vulnerability

The easiest way to test if your servers are vulnerable to GHOST is to check the version of glibc that is in use. We will cover how to do this in Ubuntu, Debian, CentOS, and RHEL.

Note that binaries that are statically linked to the vulnerable glibc must be recompiled to be made safe—this test does not cover these cases, only the system’s GNU C Library.

Ubuntu & Debian

Check the version glibc by looking up the version of ldd (which uses glibc) like this:

ldd --version

The first line of the output will contain the version of eglibc, the variant of glibc that Ubuntu and Debian use. It might look like this, for example (the version is highlighted in this example):

ldd (Ubuntu EGLIBC 2.15-0ubuntu10.7) 2.15
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

If the version of eglibc matches, or is more recent than, the ones listed here, you are safe from the GHOST vulnerability:

  • Ubuntu 12.04 LTS: 2.15-0ubuntu10.10
  • Ubuntu 10.04 LTS: 2.11.1-0ubuntu7.20
  • Debian 7 LTS: 2.13-38+deb7u7

If the version of eglibc is older than the ones listed here, your system is vulnerable to GHOST and should be updated.

CentOS & RHEL

Check the version glibc with rpm:

rpm -q glibc

The output should look like this, with the package name followed by version information:

glibc-2.12-1.132.el6_5.4.x86_64

If the version of glibc matches, or is more recent than, the ones listed here, you are safe from the GHOST vulnerability:

  • CentOS 6: glibc-2.12-1.149.el6_6.5
  • CentOS 7: glibc-2.17-55.el7_0.5
  • RHEL 5: glibc-2.5-123.el5_11.1
  • RHEL 6: glibc-2.12-1.149.el6_6.5
  • RHEL 7: glibc-2.17-55.el7_0.5

If the version of glibc is older than the ones listed here, your system is vulnerable to GHOST and should be updated.

Fix Vulnerability

The easiest way to fix the GHOST vulnerability is to use your default package manager to update the version of glibc. The following subsections cover updating glibc on various Linux distributions, including Ubuntu, Debian, CentOS, and Red Hat.

APT-GET: Ubuntu / Debian

For currently supported versions of Ubuntu or Debian, update all of your packages to the latest version available via apt-get dist-upgrade:

sudo apt-get update && sudo apt-get dist-upgrade

Then respond to the confirmation prompt with y.

When the update is complete, reboot the server with this command:

sudo reboot

A reboot is necessary since the GNU C Library is used by many applications that must be restarted to use the updated library.

Now verify that your system is no longer vulnerable by following the instructions in the previous section (Check System Vulnerability).

YUM: CentOS / RHEL

Update glibc to the latest version available via yum:

sudo yum update glibc

Then respond to the confirmation prompt with y.

When the update is complete, reboot the server with this command:

sudo reboot

A reboot is necessary since the GNU C Library is used by many applications that must be restarted to use the updated library.

Now verify that your system is no longer vulnerable by following the instructions in the previous section (Check System Vulnerability).

Conclusion

Be sure to update glibc on all of your affected Linux servers. Also, be sure to keep your servers up to date with the latest security updates!

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about us


About the authors

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
10 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

A practical thing (hope it could be helpful for anyone). You don’t need to reboot the whole server after updating. If you aren’t able to do this (because of critical thing runnning there, e.g.) — use this cmd which reboots only several applications that actually use vulnerable glibc:

for s in $(lsof | grep libc | awk ‘{print $1}’ | sort | uniq); do if [[ -f “/etc/init.d/$s” && “$(ps aufx | grep -v grep | grep $s)” ]]; then echo $s; service $s restart; fi; done

From: http://blog.wallarm.com/post/109402223343/ghost-a-brief-recap-of-what-you-need-to-know

it can also affect any other program that static compiled with the library

ldd (Ubuntu EGLIBC 2.15-0ubuntu10.9) 2.15

This is the result i’m getting, can anyone tell me how to patch the package using ubuntu’s built in patches.

For Ubuntu 12.04, looks like the patched version is 2.15-0ubuntu10.10 (vs the older 2.15-0ubuntu10.9) as reported by ldd --version

The procedure didn’t work on : Description: Ubuntu 12.04.5 LTS Release: 12.04 Codename: precise

I had same version after reboot. Any alternative? thanks

“systems that use glibc-2.2 to glibc-2.17 are at risk”

It took me a while, but it finally clicked that glibc-2.2 != glibc-2.20. Just wanted to note this in the comments for anyone else who was wondering why the range given seemed a bit backwards.

Is Ubuntu 14.04 vulnerable?

Thanks for all these information. Could you also please give some more information about Fedora 11 and other versions of Fedora ?

If you’re using amazon linux, glibc-2.17-55.93.amzn1.x86_64 does not seem to be vulnerable, but anything before it (i.e. glibc-2.17-55.92.amzn1.x86_64) is.

Is CentOS release 5.10 vulnerable?

Try DigitalOcean for free

Click below to sign up and get $200 of credit to try our products over 60 days!

Sign up

Join the Tech Talk
Success! Thank you! Please check your email for further details.

Please complete your information!

Get our biweekly newsletter

Sign up for Infrastructure as a Newsletter.

Hollie's Hub for Good

Working on improving health and education, reducing inequality, and spurring economic growth? We'd like to help.

Become a contributor

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Welcome to the developer cloud

DigitalOcean makes it simple to launch in the cloud and scale up as you grow — whether you're running one virtual machine or ten thousand.

Learn more
DigitalOcean Cloud Control Panel