Qualys Security Researchers have discovered a very serious vulnerability in the “
Qualys security researchers have been working closely with Linux distribution vendors to ensure patches were available for when the announcement was made, i.e. 27th January. In addition to their blog announcement, there is also a detailed advisory published which goes into a little more technical detail, including summary, analysis, mitigating factors, case studies, and exploitation.
Glibc us a core part of the Linux operating system as a standard C Library. Like us, you probably don’t understand what this means unless you are a system admin. Suffice to say; this vulnerability allows remote code to be executed who then-then gain complete control of the compromised system.
To demonstrate how real threat this is, Qualys created a specially designed email to a mail server which was able to get remote access to the machine. It bypassed all existing protections.
Qualys CTO Wolfgang Kandek said:
Given the sheer number of systems based on Glibc, we believe this is a high severity vulnerability and should be addressed immediately. The best course of action to mitigate the risk is to apply a patch from your Linux vendor.
How to test if you are affected by Ghost
Thanks to some ingenious people on the Stack Exchange found a tool from the University of Chicago which does a simple test you can do to check whether your server is vulnerable:
$ wget https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c $ gcc GHOST.c -o GHOST $ ./GHOST
Linux Distributions affected by Ghost
The following Linux distributions are affected, and as far as we know have all released patches, or at least will be in the very near future.
- RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x
- CentOS Linux version 5.x, 6.x & 7.x
- Ubuntu Linux version 10.04, 12.04 LTS
- Debian Linux version 7.x
- Linux Mint version 13.0
- Fedora Linux version 19 or older
- SUSE Linux Enterprise 11 and older (also OpenSuse Linux 11 or older versions).
- Arch Linux
glibcversion <= 2.18-1
What should you do?
We recommend everyone checks to ensure their system is patched in the coming days. This is a severe vulnerability, and would most likely require some action on your part if you have an unmanaged VPS or dedicated server. If you have managed services, then we recommend getting in touch with your hosting company to check that it has been patched.
While the exact exploit has not been made public (somewhat mitigating its current use), Qualys said that they would be doing so once they have given people enough time to patch their systems. They will be working on the basis that as soon as 50% of systems have been