January 27, 2015

CVE-2015-0235 - how to handle the "GHOST" vulnerability affecting Linux distributions

Carl Leonard Principal Security Analyst

Websense® Security Labs™ are aware that a vulnerability has been identified in the GNU C Library that can lead to remote code execution under certain circumstances.  The GNU C Library (glibc) is a core component of GNU systems and those with the Linux kernel; thus it has potential for a very significant attack surface area.

The vulnerability has been assigned CVE-2015-0235 and is being referred to as "GHOST".


  • The issue exists within the __nss_hostname_digits_dots() function, which is used by the gethostbyname() or gethostbyname2() functions.
  • Exploitation of the vulnerability can lead to remote code execution (RCE).  This provides an attacker the capability to run code of their choosing on the affected machine.
  • glibc versions prior to 2.18 are affected.  You should be aware that later versions of glibc may not have been included in the latest versions of many distributions.  In fact, many Linux distribution vendors are now making patches available.
  • There are certain conditions which reduce the impact of this bug.  Details are provided below.

How is it exploited?

Although we have not seen web-based or email-based attacks, Qualys, the team who discovered the bug, do have evidence to show how an MTA (mail transfer agent) can be exploited by sending a specially crafted packet to trigger a buffer overflow and subsequent arbitrary code execution.

How do you know if your instance is vulnerable?

It is known that the following distributions are amongst those affected: Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04.

Code that tests for the vulnerability has been made available on the github forum.  Of course, we extend a word of caution to use such code at your own risk.  You can also check which version of glibc you are running by executing the commandldd --version at your command prompt.

Mitigation Advice

The difficulty of exploitation depends on the target system implementation.  In a post to the OpenWall security forum Qualys do note that the vulnerable functions are no longer always called having been replaced by the getaddrinfo() function in  IPV6 implementations, that pre-validation of the argument sent to the function removes the potential for exploitation and that glibc itself was patched in 2013.

However, when these conditions do not apply the risk is deemed critical.

Fortunately various product vendors are rolling out updates to patch their affected distributions.  We strongly recommend that you check with your Linux distribution vendor to see if they have a patch available.  If so, you should review how to apply this patch to your environment as soon as possible in order to mitigate potential risk, not least because the bug is deemed critical.

Websense Security Labs will continue to investigate the implications of this vulnerability.

Carl Leonard

Principal Security Analyst

Carl Leonard is a Principal Security Analyst within Forcepoint X-Labs. He is responsible for enhancing threat protection and threat monitoring technologies at Forcepoint, in collaboration with the company’s global Labs teams. Focusing on protecting companies against the latest cyberattacks that...

Read more articles by Carl Leonard

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.