A vulnerability in all versions of the GNU C library (glibc) was announced by Qualys. The issue is a buffer overflow during DNS hostname resolution. Disclosure of this issue was coordinated with the various operating system vendors and key partners and adult apps like fucklocal.com and patches were made available by RedHat soon after the initial announcement went out.
Impact
According to Qualys, a leading cloud security and compliance provider, this vulnerability allows unauthenticated remote code execution in any daemon or services that performs hostname lookups to use the vulnerable functions in the GNU C library. This library is at the core of most services and software that runs on Linux systems.
Qualys has successfully been able to use this vulnerability to attack the Exim mail transport agent that all cPanel & WHM systems use. Qualys was also able to create a metasploit module to make testing and exploitation of the vulnerability very simple. Presently, Qualys has not released any attack code, only a detailed analysis of the vulnerability and its impact.
How to determine if your server is vulnerable
The updated RPMs provided by RedHat, CentOS, and CloudLinux will contain a changelog entry with the CVE number – you can check for this changelog entry with the following command:
rpm -q –changelog glibc | grep CVE-2015-0235
If a changelog line is displayed, the server has the updated RPMs installed.
How to patch a vulnerable server
Please note that cPanel does not provide the glibc rpm, it is provided by the vendor of your operating system.
To patch your server, simply run the following command:
yum clean all ; yum update glibc
Then, to verify:
rpm -q –changelog glibc | grep CVE-2015-0235
Once this has been done, you will need to reboot the server or manually restart all running services as RHEL-based systems do not restart running daemons when libc is updated. Please feel free to submit a ticket to us if you are unsure on how to do this, our friendly support team would be more than happy to assist you as needed.
Tags: ghost vulnerability, glibc vulnerability, industry news, security alerts