Hello,

48 hours ago a new security vulnerability has been discovered affecting most of the linux distribution running the GNU C Library. 
It is announced as very easy to exploit. You can find accurate details of the security threat quoted below : 

"A heap-based buffer overflow was found in __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2() glibc function call. A remote attacker could use this flaw to execute arbitary code with the permissions of the user running the application."

At HostStage, we have taken actions immediately throughout all our infrastructure and patched all our servers (Shared Web Hosting, CentOS linux VPS managed and not managed, Reseller Web hosting, and all structural servers). 
We have also contacted all Debian / Ubuntu based users mentionning the steps to patch their server, as far as the patch requires a restart, we couldn't take the liberty to apply it. 

You can find the steps below to patch your servers : 

CentOS : 

You can test whether you are vulnerable by typing the command below : 

rpm -q --changelog glibc | grep CVE-2015-0235

If it returns nothing, you must proceed with the glibc update with the following command : 

yum update glibc -y

Otherwise, it would return the line below : 

- Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533).



Debian / Ubuntu :

You can test whether your OS is impacted by running the following script 

/* ghosttest.c:  GHOST vulnerability tester */
/* Credit: http://www.openwall.com/lists/oss-security/2015/01/27/9 */
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>
 
#define CANARY "in_the_coal_mine"
 
struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };
 
int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;
 
  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';
 
  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
 
  if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
  }
  if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
  }
  puts("should not happen");
  exit(EXIT_FAILURE);
}


Then, you would need to compile it and run it as shown below :

gcc ghosttest.c -o ghosttest
./ghosttest

The scripts will return either of the 2 following values : vulnerable or not vulnerable.

If you are vulnerable you would need to run the following :

sudo apt-get clean
sudo apt-get update
sudo apt-get upgrade
reboot
 
Sincerely Yours,
Vincent Royant
HostStage CEO 


 



Friday, January 30, 2015





« Back