Warning: Ghost bug in Linux servers

Linux server users are scrambling to plug a hole in the GNU C Library that a vendor says allows attackers to remotely take control of an entire system without having any prior knowledge of system credentials.

Qualys Inc. said this week the vulnerability is known as GHOST (CVE-2015-0235) as it can be triggered by the gethostbyname functions. It affects systems built on Linux starting with glibc-2.2 released on November 10, 2000. While there was a fix released on May 21, 2013 between the releases of glibc-2.17 and glibc-2.18, it wasn’t classified as a security advisory. As a result a number of distribution weren’t fixed including: Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04.

A patch was released Tuesday, with Qualsys working with Linux distributors on the solution. However, an expert was quoted on CSO Online saying the problem could be tough for administrators to fix. Mattias Geniar, a systems engineer with the Belgian hosting provider Nucleus, said in a blog post that the libraries are used by a lot of running services. “After the update, each of these services needs to be restarted,” he wrote.

He wrote an entire server should be rebooted after it has been updated, and at minimum all public-facing services such as Web servers and mail servers should also be restarted.

Amol Sarwate, director of engineering with Qualys, told that in tests his company was able to get a shell remotely, “which may allow attackers to steal files, delete programs, install malware or simply perform any other tasks that a user with valid credentials can perform.”

“After [we] identified the buffer overflow (__nss_hostname_digits_dots() function), we went about how this issue can be exploited remotely,” Sarwate told  the site. The overflow can be exploited by calling the gethostbyname*() functions. All an attacker has to do then is install a program that can call the affected functions. Qualsys researchers did it by sending a specially crafted mail to a mail server, which was then take over.

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

ITW in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

More Best of The Web