What is the GHOST exploit?

On January 27, 2015, it was released that the glibc has a buffer overflow bug in the gethostbyname() functions (hence the name GHOST).

Just like Shellshock or Heartbleed, this is a critical bug and the impact on the Linux server is huge.

The GHOST vulnerability only affects Linux servers using the GNU C library for version glib-c2.18. Systems using an unpatched version of glibc from version 2.2 (not 2.20!) to 2.17 are at risk. The following versions of Linux may be at risk and should be tested:

• CentOS 6 & 7
• Debian 7
• RHEL (Red Hat Enterprise Linux) 6 & 7
• Ubuntu 10.04 & 12.04
• End of Life Linux distributions (e.g. CentOS 5)

We therefore recommend that you check whether your server is subject to this bug, install the necessary fixes and restart the server.

You can check the GHOST exploit as follows:

How to check your server?

The easiest - and fastest way - to find out if your server is impacted or not is to check the version of glibc on your server. We go over how to do this in Debian, Ubuntu, RHEL and CentOS.
Note that this check also only works for the general system GNU C library, not for self-compiled packages.

Debian and Ubuntu servers

Verify the version of glibc by checking the version of ldd (ldd uses glibc):

ldd --version

The output will show you the version of elibbc, the glibc variant used by Debian and Ubuntu:

ldd (Debian EGLIBC <strong><u>2.13-38+deb7u7</u></strong>) 2.13
Copyright (C) 2011 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

In our example, we show the version underlined and in bold. If the version on your server is greater than or equal to one of the following, you are not eligible for the GHOST vulnerability.

• Ubuntu 12.04: 2.15-0ubuntu10.10
• Ubuntu 10.04: 2.11.1-0ubuntu7.20
• Debian 7: 2.13-38+deb7u7

If your version is OLDER than the above, please upgrade your server (see below).

RHEL and CentOS servers

The easiest way to check the version of glibc is by using rpm:

rpm -q glibc

You will see the following display, containing the version number in the package:

glibc-<strong><u>2.12-1.132</u></strong>.el6_5.3.x86_64

If the version you get back is more recent or equal to one of the below, you are not eligible for the GHOST vulnerability.

• CentOS 6: glibc-2.12-1.149.el6_6.5
• CentOS 7: glibc-2.17-55.el7_0.5
• RHEL 5: glibc-2.5-123.el5_11.1
• RHEL 6: glibc-2.12-1.149.el6_6.5
• RHEL 7: glibc-2.17-55.el7_0.5

If your version is OLDER than the above, please upgrade your server (see below).

How to fix the vulnerability?

The fastest and easiest way to upgrade the version of glibc is by using the package manager in your Linux distribution: apt-get or yum eg.

Debian and Ubuntu: apt-get

For Debian and Ubuntu servers, we recommend upgrading your server to the latest version via apt-get dist-upgrade:

apt-get update && apt-get dist-upgrade

Follow the steps and after installation - this may take a while - restart your server. Then check again (see above) if the glibc version is correct.

CentOS and RHEL: yum

Updating glibc is fastest via yum:

yum update glibc

Follow the steps and after installation - this may take a while - restart your server. Then check again (see above) if the glibc version is correct.