CRITICAL glibc remote vulnerability exploit “GHOST” – patch glibc now!

GHOST Exploit Summary

A nasty new remote exploit has been discovered by Qualys. Without going in to too much detail, the exploit lies in the gethostbyname function in glibc. This function is used to convert DNS addresses in to IP addresses. More details from Qaulys.


What versions are affected?

All versions of glibc across CentOS 5, CentoS 6 and CentOS 7. Apparently the exploit has existed in glibc since the year 2000.

The exploit is fixed in glibc-2.12-1.149.el6


Update glibc

To mitigate the issue, please update to the latest version of glibc:

yum clean all && yum update "glibc*"

Version glibc-2.12-1.149.el6 and up is not affected, so be sure you are at this patch level. If your yum repository does not have this update yet, it may still be rsyncing, or yet to rsync.

IMPORTANT: As many processes use glibc, after updating, some processes may have old glibc libraries open. You can see what processes still have the old glibc open by running the following command:

lsof | grep libc | grep DEL | awk '{print $1}' | sort | uniq

Depending your circumstances, restarting affected systems might be a good option. At a minimum, you should at least restart each service that has old glibc open.


Testing if you’re vulnerable

To test if you’re vulnerable, run the following (Note: please examine gistfile1.c before compiling to ensure that its safe):


gcc gistfile1.c -o CVE-2015-0235



Further Reading

For more information, see the original blog post by Qualys about the exploit.

RHEL patch information:

minaguib gives an excellent explanation of the actual exploit on Reddit.

Share This Post

About Author: Curtis K

Hi! My name is Curtis, and I am the author of CentOS Blog. Please feel free to comment with any suggestions, feedback or questions!