GHOST Vulnerability in Linux - Faulkner Information Services (2023)

GHOST vulnerability in Linux

PDF version of this report
You need Adobe Acrobat Reader to view, save or print PDF files. The reader is available forFree downloads.

vonGeoff Keston
Copyright April 2015 by Faulkner Information Services. All rights reserved.

In this report...


What GHOST can do
source file


In January 2015, a vulnerability was discovered in the Linux operating system that caused serious security problems. It is listed as "GHOST" after the GetHOSTbyname() function.1The vulnerability allows remote hackers to take control of Linux-based systems.2Jon Oberheide of security vendor Duo Security described the threat this way: "There could be a lot of collateral damage on the Internet if this exploit is made public, which they [the hackers] seem to want to do, and if other people start writing exploits for other purposes. " ."3

Another reason why GHOST has raised concerns is that several widespread vulnerabilities have recently been found in open source platforms:

  • heart blood– Heartbleed is based on OpenSSL. It allows hackers to access parts of the Linux system memory to steal passwords and other critical information. Security expert Bruce Schneier says, "On a scale of 1 to 10, that's an 11."4

  • Boca- The Padding Oracle onDowngraded Legacy Encryption (Poodle) vulnerability resides in Secure Socket Layer3. It allows hackers to perform man-in-the-middle attacks.5

  • Neurosis- The Shellshock vulnerability can be found on Linux as well as UNIX and MacOS X platforms. It is also referred to as a "bash bug" because it uses the bash system shell, which is used to interpret data from the command line. Hackers can exploit this vulnerability to take control of a remote system.6

What GHOST can do

[Return toThe topdefeated]

The GHOST vulnerability is actually quite old. It has existed since 2000 and was even identified in May 2013. However, it was not recognized as a security risk until January 2015, so hackers were able to exploit it for a long time.7The security risk in the vulnerability was discovered by Qualys, who discovered that the issue exists on Linux platforms such as CentOS 6 and 7, Debian 7, Red Hat Enterprise Linux 6 and 7, and Ubuntu 12.04, among others.8Qualys identified the following Linux components as potential targets of the vulnerability: "Apache, Cups, Dovecot, Gnupg, ISC-DHCP, Lighttpd, Mariadb/MySQL, NFS-Utils, Nginx, NodeJS, OpenLDAP, OpenSh, Postfix, Profitpd, Pure - FTPD." " , rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers, vsftpd and xinetd."9

Qualy investigated the vulnerability by running a test by sending an email to a Linux server. Email is designed to evade security mechanisms such as Address Space Layout Randomization (ASLR), a technique that places executables in random locations in memory so that buffer overflow-type attacks cannot easily find them.10ASLR has been available for Linux since 2001 and is now used on Windows and Apple platforms and on some mobile devices. (A test conducted by Qualys also managed to bypass NX and PIE, two other common security mechanisms used in Linux.) By bypassing these mechanisms, a hacker without credentials could take control of a remote system. Qualys notified Linux platform developers of the vulnerability and they responded with patches for their software.

The GHOST vulnerability resides in Linux's GNU C library (glibc), which is used by programs to access operating system services. (Only glibc versions 2.17 through 2.2 are affected.) The glibc libraries are critical to the operation of Linux and are used by many operating system services. As described by Mattias Geniar, administrators can identify all of these services on their systems by running the command $lsof | grep libc | awk '{print $1}' | order |unique."11Each of these services must be restarted after the vulnerability has been removed, either individually or by rebooting the entire system.

Technology author Steven J. Vaughan-Nichols describes how the vulnerability is exploited: “The vulnerability can be activated by exploiting glibc's gethostbyname function. This function is used on almost all Linux network computers when a computer is asked to access another network computer, either through /etc/hosts files or, more commonly, by resolving Internet domain names using the Domain Name System (DNS). )."

a different perspective

While some observers see GHOST as a serious threat, others believe this fear is overblown. For example, an analysis published by security firm Trend Micro concludes that "Further investigation shows that this particular vulnerability, while serious, is not easily exploitable and has a very limited attack surface."12

This conclusion is based on three observations:

  • Since the issue was discovered in 2013, the vulnerability has not been present on newer Linux systems.

  • For many applications on Linux, there is little or no risk.

  • The used function - GetHOSTbyname() - has already been replaced.

The analysis concludes that GHOST is much less likely to cause real problems than other current open source vulnerabilities. Companies should therefore not panic, but approach the problem "calmly and orderly".

Security firm Symante makes a similar assessment, saying GHOST "isn't as scary as it seems."13Symantec says GHOST is less likely to actually be exploited than Heartbleed and ShellShock, noting, "There are no reports of the vulnerability being exploited in the wild."


[Return toThe topdefeated]

The number one advice experts give regarding GHOST is to simply patch all affected systems. Most of the leading Linux platform developers created patches shortly after the vulnerability was discovered in January and published manuals specific to their software. Visit the websites below for updates from some of the leading developers:

The GHOST Guide also offers lessons on server security in general. Patching is a critical step in system protection and routine software updates can fix many problems before they are identified as a security threat. IT administrators can do a lot to protect their networks by maintaining a formal patch management program. Such a program includes keeping detailed records of all software used, tracking the release of patches, and applying patches systematically. It can also involve testing patches before deploying them to systems used in the network.

Another lesson IT administrators can learn from GHOST is the importance of close contact with software developers. Developers often post posts like the one above. By receiving these alerts as soon as possible, IT administrators can remediate vulnerabilities before they are exploited.

source file

[Return toThe topdefeated]


  • 1R Jennings. "GHOST: Most Linux servers have a terrible, terrible vulnerability (in glibc)." Computer world. January 2015
  • 2SJ Vaughan-Nichols. "GHOST, a critical vulnerability, has been discovered." ZDNet. January 2015
  • 3D Goodin. "A highly critical 'ghost' that enables code execution affects most Linux systems." Ars Technica. January 2015
  • 4B Schneider. "heart bleeds". Schneier on safety. April 2014
  • 5"POODLE: SSLv3 Vulnerability (CVE-2014-3566)." Red Hat. February 2015
  • 6"ShellShock 101 - What you need to know and do to protect your systems." DRY. 2015
  • 7J Kirk. "Scary 'ghost' vulnerability leaves Linux systems vulnerable to theft." IDG News Service. January 2015
  • 8"The GHOST Vulnerability." Qualys. January 2015
  • 9"Qualys Security Advisory: 'Re: Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow' (E-mail)." Qualys. siječnja 2015.
  • 10M. Rouse. “Address Space Layout Randomization (ASLR).
  • 11M genius. "GHOST: Critical Glibc Update (CVE-2015-0235) in gethostbyname() calls." January 2015
  • 12P Koninger. "Not So Scary: Linux 'Ghost' Vulnerability." TrendLabs Security Intelligence blog. January 2015
  • 13"The Linux GHOST vulnerability (CVE-2015-0235) is not as scary as it seems." Symantec. January 2015

Over by author

[Return toThe topdefeated]

Geoff Kestonis the author of more than 250 articles helping companies find opportunities in business trends and technology. He also works directly with customers to develop communication strategies that improve processes and customer relationships. Mr. Keston has worked as a project manager for a large technology consulting and services company and is a Microsoft Certified Systems Engineer and a Novell Certified Administrator.

Website content copyright 2015,Faulkner Information Services. All rights reserved.

Return to the security management practice home page

Top Articles
Latest Posts
Article information

Author: Lidia Grady

Last Updated: 06/10/2023

Views: 5583

Rating: 4.4 / 5 (65 voted)

Reviews: 80% of readers found this page helpful

Author information

Name: Lidia Grady

Birthday: 1992-01-22

Address: Suite 493 356 Dale Fall, New Wanda, RI 52485

Phone: +29914464387516

Job: Customer Engineer

Hobby: Cryptography, Writing, Dowsing, Stand-up comedy, Calligraphy, Web surfing, Ghost hunting

Introduction: My name is Lidia Grady, I am a thankful, fine, glamorous, lucky, lively, pleasant, shiny person who loves writing and wants to share my knowledge and understanding with you.