Jan 29, 2015

Defend Your Server Against ‘GHOST’ Exploit

Updates 1/30/2015:

  • PHP applications are found to be vulnerable. This includes WordPress and other PHP based applications.
  • Haldaemon and init, common applications, use the glibc library. If you have these running, (and chances are you are) you will need to reboot your server, not just specific services. To be clear, full reboot is more than likely required to ensure a complete secure environment.

What is GHOST?
The exploit, being called ‘GHOST’, is a buffer overflow that can be executed against two commands that are part of the glibc library. The glibc library is very commonplace, meaning this vulnerability has the potential to affect multiple systems and applications. A successful attack would allow the attacker to run arbitrary code on the target system with the permissions of the running process.

What Can You Do To Protect Your Server
For our Proactive Managed Clients, we are currently in the process of verifying these systems are patched and secure. Rest assured, no systems or services will be restarted or interrupted without prior communication.

For our Essential Managed Clients, we have provided information and links below to assist you in patching your server if it is affected.

The below Linux distributions are known to be effected by this exploit:

§ RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x
§ CentOS Linux 5.x, 6.x and 7.x
§ Ubuntu Linux 10.04, 12.04 LTS
§ Debian Linux 7.x
§ Linux Mint 13.0
§ Fedora Linux 19 or older
§ SUSE Linux Enterprise 11 and older (also OpenSuse Linux 11 or prior).
§ SUSE Linux Enterprise Software Development Kit 11 SP3
§ SUSE Linux Enterprise Server 10 SP4 LTSS
§ SUSE Linux Enterprise Server 11 SP3 for VMware
§ SUSE Linux Enterprise Server 11 SP3
§ SUSE Linux Enterprise Server 11 SP2 LTSS
§ SUSE Linux Enterprise Server 11 SP1 LTSS
§ SUSE Linux Enterprise Desktop 11 SP3
§ Arch Linux glibc 2.18-1 or prior

Essential Managed customers: please make sure that you get your servers checked for this vulnerability and patched as needed. This article contains instructions to determine if your system is vulnerable and how to patch it.

In many cases an affected server must be rebooted in order for the patches to take effect. As each server is unique, a reboot may not be required.

If, after patching, you’re able to manually restart services listed with the following command a reboot shouldn’t be necessary:

lsof | grep libc | awk '{print $1}' | sort | uniq

As always, feel free to contact us by phone, ticket, or chat if you have any questions.

Share on FacebookTweet about this on TwitterShare on Google+Share on LinkedIn


  • Dan

    Thanks for the heads up Philip. Servers patched. Keep it up!