PDA

View Full Version : GHOST Vulnerability and SLES



xuunix
29-Jan-2015, 16:19
Hi

Just wondering whether the ghost vulnerability affects the SLES 11 SP 1.

Does anyone have a view on this?

Cheers, JP

xuunix
29-Jan-2015, 16:29
Apologies, patches here (http://support.novell.com/security/cve/CVE-2015-0235.html)

ab
29-Jan-2015, 16:35
Yes, I believe it does. The fixes for SLES have already been out for a
couple of days so you can look for those if you're current on maintenance
with something still receiving updates (SLES 11 SP3 updates were the ones
I pulled down a couple of nights ago). If you have LTSS support for an
earlier SP then those should show up as well. Alternatively, patch to a
supported version.

The Qualys report for GHOST has a sample program you can compile/run to
test if you are impacted, at least in theory. Apparently a lot of default
services are NOT impacted, so this isn't as big as originally thought;
still, who knows if you have other services that are impacted, or if you
give local access to users who may exploit things, etc.

http://www.openwall.com/lists/oss-security/2015/01/27/9

Sample code from URL above, just for simplicity:


#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <errno.h>

#define CANARY "in_the_coal_mine"

struct {
char buffer[1024];
char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };

int main(void) {
struct hostent resbuf;
struct hostent *result;
int herrno;
int retval;

/*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof
(*h_addr_ptrs) - 1; ***/
size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) -
2*sizeof(char *) - 1;
char name[sizeof(temp.buffer)];
memset(name, '0', len);
name[len] = '\0';

retval = gethostbyname_r(name, &resbuf, temp.buffer,
sizeof(temp.buffer), &result, &herrno);

if (strcmp(temp.canary, CANARY) != 0) {
puts("vulnerable");
exit(EXIT_SUCCESS);
}
if (retval == ERANGE) {
puts("not vulnerable");
exit(EXIT_SUCCESS);
}
puts("should not happen");
exit(EXIT_FAILURE);
}


You probably should not trust this code, since you have no idea if I've
mangled it to do something evil to you. Still, if you do, put it into a
'ghost.c' file and then compile and run it:



gcc ghost.c -o ghost
../ghost


The result is it will either tell you 'vulnerable' or 'not vulnerable'.

--
Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below...

mikewillis
29-Jan-2015, 16:48
Apologies, patches here (http://support.novell.com/security/cve/CVE-2015-0235.html)

Note that page lists an update for SLES 11 SP1 LTSS* not SLES 11 SP1. If you go to Patch Finder there's a glibc update for SLES SP1 LTTS
https://download.suse.com/patch/finder/#bu=suse&familyId=7261&productId=45404
but not for SLES 11 SP1
https://download.suse.com/patch/finder/#bu=suse&familyId=7261&productId=26322


* https://www.suse.com/support/programs/long-term-service-pack-support.htm

kotek6
02-Feb-2015, 18:16
Hello

does this update needs servers reboot or applications restart in production enviroment ?
As you can find on https://www.novell.com/support/kb/doc.php?id=7016113 reebot/restart is not required

mikewillis
02-Feb-2015, 18:38
Hello

does this update needs servers reboot or applications restart in production enviroment ?
As you can find on https://www.novell.com/support/kb/doc.php?id=7016113 reebot/restart is not required


I'm confused by your post. You ask a question only to then immedietly answer it and you answer it incorrectly. The KB article you link to says "A reboot is required when updating glibc".

kotek6
02-Feb-2015, 18:48
Thank you and sorry I did`t catch it.

smflood
12-Feb-2015, 16:22
On 02/02/2015 17:44, mikewillis wrote:

> I'm confused by your post. You ask a question only to then immedietly
> answer it and you answer it incorrectly. The KB article you link to says
> "A reboot is required when updating glibc".

FWIW my reading of TID 7016113 is that if you "1. Update your entire
system with the latest system updates:" then "A reboot is required when
updating glibc" but if you "2. Apply only the latest glibc patches" then
you do not.

If updating your entire system with latest system updates which include
a kernel upgrade then you do need to reboot (which zypper/YaST will
report) but if just updating glibc then you can restart the various
processes referencing glibc thus avoid the restart. "zypper ps" will
report the various processes that need restarting.

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------

mikewillis
12-Feb-2015, 16:35
On 02/02/2015 17:44, mikewillis wrote:

> I'm confused by your post. You ask a question only to then immedietly
> answer it and you answer it incorrectly. The KB article you link to says
> "A reboot is required when updating glibc".

FWIW my reading of TID 7016113 is that if you "1. Update your entire
system with the latest system updates:" then "A reboot is required when
updating glibc" but if you "2. Apply only the latest glibc patches" then
you do not.

If updating your entire system with latest system updates which include
a kernel upgrade then you do need to reboot (which zypper/YaST will
report) but if just updating glibc then you can restart the various
processes referencing glibc thus avoid the restart. "zypper ps" will
report the various processes that need restarting.


Huh. Yeah, I can see that interpretation because "2. Apply only the latest glibc patches" doesn't say anything about a reboot. But section 1 contains

Note: A reboot is required when updating glibc. In order for the patch to address the gethostbyname*() vulnerability listed for this CVE.
I think it would read better as one sentence (…updating glibc in order for…), but it does provide an explanation for why a reboot is required after updating gblic.

Perhaps use of the 'Provide Feedback' link on the TID is merited.

smflood
13-Feb-2015, 12:26
On 12/02/2015 15:44, mikewillis wrote:

> Huh. Yeah, I can see that interpretation because "2. Apply only the
> latest glibc patches" doesn't say anything about a reboot. But section 1
> contains
>> Note: A reboot is required when updating glibc. In order for the patch
>> to address the gethostbyname*() vulnerability listed for this CVE.
> I think it would read better as one sentence (�updating glibc in order
> for�), but it does provide an explanation for why a reboot is required
> after updating gblic.

Well if you install a kernel update zypper will prompt that the machine
needs restarting but you don't get such a message when just updating glibc.

> Perhaps use of the 'Provide Feedback' link on the TID is merited.

That I may do when I get a moment.

HTH.
--
Simon
SUSE Knowledge Partner

------------------------------------------------------------------------
If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------