Monday, February 2, 2015

CVE-2015-0235 - buffer overflow with glibc a.k.a GHOST vulnerability

As you may know, it was determined that glibc was susceptible to buffer overflow vulnerability as reported on below redhat link:-

https://access.redhat.com/security/cve/CVE-2015-0235

​"A heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application."

 In order to check if your glibc version is susceptible to this vulnerability you can run the below test:

-- download test c program -
$wget https://gist.githubusercontent.com/koelling/ef9b2b9d0be6d6dbab63/raw/de1730049198c64eaf8f8ab015a3c8b23b63fd34/gistfile1.c

-- compile the code -
$gcc gistfile1.c -o CVE-2015-0235

-- execute the test program
$./CVE-2015-0235
vulnerable

The version of glibc that is currently installed can be confirmed by 

$sudo rpm -q glibc
glibc-2.12-1.149.el6_6.5.x86_64 (for RHEL instance)

Now that you have determined that glibc is vulnerable, you can update the glibc version using "sudo yum update -y glibc" or "sudo yum update -y" to update all the packages. Once you have patched the glibc version, you can run the test program (gistfile1.c) again to see its output

$./CVE-2015-0235
not vulnerable

For additional confirmation you can look at the changelog to see if this particular CVE was fixed:-

$rpm -q glibc --changelog | head (for RHEL instance)

* Mon Jan 19 2015 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.12-1.149.5
- Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183533).

you can go through the same sequence for any other linux distributions including Amazon linux:-

***************
$sudo rpm -q glibc
glibc-2.17-55.87.amzn1.x86_64

[ec2-user@ip-172-x-x-x ~]$ ./CVE-2015-0235
vulnerable

[ec2-user@ip-172-x-x-x ~]$sudo yum update -y glibc

$sudo rpm -q glibc
glibc-2.17-55.93.amzn1.x86_64

[ec2-user@ip-172-x-x-x ~]$ ./CVE-2015-0235
not vulnerable
***************


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)