Tutorial
How To Protect Your Linux Server Against the GHOST Vulnerability
Introduction
On January 27, 2015, a GNU C Library (glibc) vulnerability, referred to as the GHOST vulnerability, was announced to the general public. In summary, the vulnerability allows remote attackers to take complete control of a system by exploiting a buffer overflow bug in glibc’s GetHOST functions (hence the name). Like Shellshock and Heartbleed, this vulnerability is serious and affects many servers.
The GHOST vulnerability can be exploited on Linux systems that use versions of the GNU C Library prior to glibc-2.18. That is, systems that use an unpatched version of glibc from versions 2.2 to 2.17 are at risk. Many Linux distributions including, but not limited to, the following are potentially vulnerable to GHOST and should be patched:
- CentOS 6 & 7
- Debian 7
- Red Hat Enterprise Linux 6 & 7
- Ubuntu 10.04 & 12.04
- End of Life Linux Distributions
It is highly recommended that you update and reboot all of your affected Linux servers. We will show you how to test if your systems are vulnerable and, if they are, how to update glibc to fix the vulnerability.
Check System Vulnerability
The easiest way to test if your servers are vulnerable to GHOST is to check the version of glibc that is in use. We will cover how to do this in Ubuntu, Debian, CentOS, and RHEL.
Note that binaries that are statically linked to the vulnerable glibc must be recompiled to be made safe—this test does not cover these cases, only the system’s GNU C Library.
Ubuntu & Debian
Check the version glibc by looking up the version of ldd (which uses glibc) like this:
ldd --version
The first line of the output will contain the version of eglibc, the variant of glibc that Ubuntu and Debian use. It might look like this, for example (the version is highlighted in this example):
ldd (Ubuntu EGLIBC 2.15-0ubuntu10.7) 2.15
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
If the version of eglibc matches, or is more recent than, the ones listed here, you are safe from the GHOST vulnerability:
- Ubuntu 12.04 LTS:
2.15-0ubuntu10.10 - Ubuntu 10.04 LTS:
2.11.1-0ubuntu7.20 - Debian 7 LTS:
2.13-38+deb7u7
If the version of eglibc is older than the ones listed here, your system is vulnerable to GHOST and should be updated.
CentOS & RHEL
Check the version glibc with rpm:
rpm -q glibc
The output should look like this, with the package name followed by version information:
glibc-2.12-1.132.el6_5.4.x86_64
If the version of glibc matches, or is more recent than, the ones listed here, you are safe from the GHOST vulnerability:
- CentOS 6:
glibc-2.12-1.149.el6_6.5 - CentOS 7:
glibc-2.17-55.el7_0.5 - RHEL 5:
glibc-2.5-123.el5_11.1 - RHEL 6:
glibc-2.12-1.149.el6_6.5 - RHEL 7:
glibc-2.17-55.el7_0.5
If the version of glibc is older than the ones listed here, your system is vulnerable to GHOST and should be updated.
Fix Vulnerability
The easiest way to fix the GHOST vulnerability is to use your default package manager to update the version of glibc. The following subsections cover updating glibc on various Linux distributions, including Ubuntu, Debian, CentOS, and Red Hat.
APT-GET: Ubuntu / Debian
For currently supported versions of Ubuntu or Debian, update all of your packages to the latest version available via apt-get dist-upgrade:
sudo apt-get update && sudo apt-get dist-upgrade
Then respond to the confirmation prompt with y.
When the update is complete, reboot the server with this command:
sudo reboot
A reboot is necessary since the GNU C Library is used by many applications that must be restarted to use the updated library.
Now verify that your system is no longer vulnerable by following the instructions in the previous section (Check System Vulnerability).
YUM: CentOS / RHEL
Update glibc to the latest version available via yum:
sudo yum update glibc
Then respond to the confirmation prompt with y.
When the update is complete, reboot the server with this command:
sudo reboot
A reboot is necessary since the GNU C Library is used by many applications that must be restarted to use the updated library.
Now verify that your system is no longer vulnerable by following the instructions in the previous section (Check System Vulnerability).
Conclusion
Be sure to update glibc on all of your affected Linux servers. Also, be sure to keep your servers up to date with the latest security updates!
Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.
author
This textbox defaults to using Markdown to format your answer.
You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!
Become a contributor for community
Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.
DigitalOcean Documentation
Full documentation for every DigitalOcean product.
Resources for startups and SMBs
The Wave has everything you need to know about building a business, from raising funding to marketing your product.
The developer cloud
Scale up as you grow — whether you're running one virtual machine or ten thousand.
Get started for free
Sign up and get $200 in credit for your first 60 days with DigitalOcean.*
*This promotional offer applies to new accounts only.
A practical thing (hope it could be helpful for anyone). You don’t need to reboot the whole server after updating. If you aren’t able to do this (because of critical thing runnning there, e.g.) — use this cmd which reboots only several applications that actually use vulnerable glibc:
for s in $(lsof | grep libc | awk ‘{print $1}’ | sort | uniq); do if [[ -f “/etc/init.d/$s” && “$(ps aufx | grep -v grep | grep $s)” ]]; then echo $s; service $s restart; fi; done
From: http://blog.wallarm.com/post/109402223343/ghost-a-brief-recap-of-what-you-need-to-know
it can also affect any other program that static compiled with the library
ldd (Ubuntu EGLIBC 2.15-0ubuntu10.9) 2.15
This is the result i’m getting, can anyone tell me how to patch the package using ubuntu’s built in patches.
For Ubuntu 12.04, looks like the patched version is
2.15-0ubuntu10.10(vs the older2.15-0ubuntu10.9) as reported byldd --versionThe procedure didn’t work on : Description: Ubuntu 12.04.5 LTS Release: 12.04 Codename: precise
I had same version after reboot. Any alternative? thanks
It took me a while, but it finally clicked that
glibc-2.2!=glibc-2.20. Just wanted to note this in the comments for anyone else who was wondering why the range given seemed a bit backwards.Is Ubuntu 14.04 vulnerable?
Thanks for all these information. Could you also please give some more information about Fedora 11 and other versions of Fedora ?
If you’re using amazon linux,
glibc-2.17-55.93.amzn1.x86_64does not seem to be vulnerable, but anything before it (i.e.glibc-2.17-55.92.amzn1.x86_64) is.Is CentOS release 5.10 vulnerable?