How to determine if your VMware appliances are vulnerable to the GHOST glibc vulnerability

First off, what is the GHOSTGHOST vulnerability? It’s short for the “gethostbyname” glibc function calls.

So what does it allow? A remote attacker whom is able to make an application call to either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.

How do you know if your VMware infrastructure is vulnerable?

According to VMware, some of the current VMware products may have a vulnerable version of glibc, but they are non-exploitable.

See this note from VMware:

“We quickly realized that exploitability of this vulnerability depends on where and how the vulnerable function is invoked.  In particular, if an attacker cannot control the arguments passed to the gethostbyname* functions, then the overflow cannot be triggered.  Suffice it to say, the applicability of this vulnerability to the Exim mail server, cannot be generalized to all software using glibc, or even to all invocations of gethostbyname*.”

Also in a KB article, they state the following:

“While some VMware products do ship with the vulnerable versions of glibc, based on our current analysis VMware products are not affected by this issue. This conclusion is based on not finding a method to pass untrusted input to the vulnerable glibc function in any VMware product.

VMware products that ship with vulnerable versions of glibc will be updated in upcoming releases in accordance with our security response policy found here.”

So in short, the glibc versions deployed are vulnerable to the exploit, but arbitrary code cannot be passed through. Or VMware Engineering has not found a way to do so yet. So there is no immediate risk known, but they will fix it in the next patch cycle.

Here are the references from VMware:

How to determine if your VMware appliances have a vulnerable, (but non-exploitable) version of glibc.

1> Log into your appliance.

2> Run the command:

cat /etc/SuSE-release

Review the version against the Novell info for CVE-2015-0235

Now sign-up for the VMware security Announcements here:

As soon as the security patch is released, you will receive and update.

You can also look for new announcements manually here:

Or get twitter updates on the release:

Once VMware release the patches, then patch your vCenter server from the web interface as per this KB article:

Then update your ESXi hosts from the vSphere Update Manager.

If you want to do manual validation to determine the vulnerability or scope across your enterprise on other (non-VMware) Linux machines, then follow these steps:

Here is a simple C test program for all Linux based servers (distro independent; generic method).

Type the following wget command to download GHOST.C on a Linux based system:


Compile it:

gcc -o GHOST GHOST.c

Test i:


Sample outputs:

Fig. 01: GHOST.c  bug:  A simple way to test if Linux system is secure or not

One thought on “How to determine if your VMware appliances are vulnerable to the GHOST glibc vulnerability

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s