“Ghost” Vulnerability Discovered in Linux

January 27, 2015, a buffer overflow flaw—dubbed “Ghost”—was discovered in the Linux GNU C Library (glibc) versions 2.2 and other 2.x versions before 2.18. It allows remote code execution via the gethostbyname*() function. Researchers have initially identified clockdiff, procmail, pppd, and the Exim mail server software as attack vectors. However, other findings later on surfaced that a malicious attacker can use Ghost to remotely control affected web servers via PHP web applications like WordPress. With PHP thrown in, the range of attack vectors significantly increased.

This vulnerability is tagged as CVE-2015-0235 in the Common Vulnerabilities and Exposures database. Although this bug is already fixed in glibc-2.18, which was released in May 2013, it was not flagged as security issue then. This means that some linux distributions, like those developed for long-term support are likely not patched and are still using vulnerable glibc versions.

Patches can be downloaded from the following links:

After patching, it is best to reboot an entire server or at least, restart the public-facing ones. The GNU C Library versions 2.18 and later are also available for download and implementation.

Comments are closed.