Vulnerability in GNU C Library Could Allow for Remote Code Execution (Ghost Vulnerability)

ITS Advisory Number: 
Date(s) Issued: 
Wednesday, January 28, 2015
Vulnerability in GNU C Library Could Allow for Remote Code Execution (Ghost Vulnerability)

A vulnerability has been discovered in the GNU C Library (glibc) which could allow for remote code execution. This library is required in all modern distributions of Linux as it defines the system calls and other basic facilities used in the Linux kernel. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the exploited application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts could lead to a denial of service condition for the affected application.

Systems Affected: 
  • Debian 6.0
  • Debian 7.0
  • SuSE Linux 7.1.0
  • WireX Immunix OS 7+
  • Red Hat Enterprise Linux 5
  • Red Hat Enterprise Linux 6
  • Red Hat Enterprise Linux 7
  • Oracle Enterprise Linux 5
  • CentOS 6
  • CentOS 7
  • Ubuntu 10.04
  • Ubuntu 12.04
Large and medium government entities: 
Small government entities: 
Large and medium business entities: 
Small business entities: 
Home Users: 

A critical bug, commonly found in the "glibc" library in all Linux distributions, was discovered today by code auditors from Qualys. The big allows attackers to remotely execute arbitrary code via the gethostbyname*() functions within the library. This vulnerability has been labeled as CVE-2015-0235. Although this vulnerability was patched on May 21, 2013, it was not recognized as a major security threat, therefore, most stable and long-term-support distributions remain exposed to this vulnerability. Signatures have not been made available at this time.

The vulnerability is exploited via a buffer overflow in the "__nss_hostname_digits_dots()" function in glibc. This function is reachable locally and remotely via the function calls:

  • gethostbyname()
  • gethostbyname2()
  • gethostbyname_r()
  • gethostbyname2_r()

The exploitable portion of the function is in the following code lines:

size_needed = (sizeof (*host_addr) + sizeof (*h_addr_ptrs)
+ strlen (name) + 1);
host_addr = (host_addr_t *) *buffer;
h_addr_ptrs = (host_addr_list_t *)((char *) host_addr + sizeof (*host_addr));
h_alias_ptr = (char **) ((char *) h_addr_ptrs + sizeof (*h_addr_ptrs));
hostname = (char *) h_alias_ptr + sizeof (*h_alias_ptr);
resbuf->h_name = strcpy (hostname, name);

One of the parameters (h_alias_ptr) used in "hostname" was not included in the buffer size computation which happens in "size_needed". This allows an attacker to overflow the buffer during the "strcpy (hostname, name)" assignment and insert arbitrary code into memory.

This vulnerability has the power of becoming highly impactful due to many applications using the glibc library for host name resolution.

Any system running a version of glibc prior to 2.18 should be considered vulnerable, and patch immediately.  All services which call glibc must be restarted after patching (or restart     the system).  Applications, especially those which resolve IPv4 DNS should be configured to run with the minimal privileges necessary (not "root," or "su").


We recommend the following actions be taken:

  • Apply appropriate patches provided by the affected Linux distribution to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.