How to determine if your VMware appliances are vulnerable to the GHOST glibc vulnerability

First off, what is the GHOSTGHOST vulnerability? It’s short for the “gethostbyname” glibc function calls.

So what does it allow? A remote attacker whom is able to make an application call to either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.

How do you know if your VMware infrastructure is vulnerable?

According to VMware, some of the current VMware products may have a vulnerable version of glibc, but they are non-exploitable.

See this note from VMware:


“We quickly realized that exploitability of this vulnerability depends on where and how the vulnerable function is invoked.  In particular, if an attacker cannot control the arguments passed to the gethostbyname* functions, then the overflow cannot be triggered.  Suffice it to say, the applicability of this vulnerability to the Exim mail server, cannot be generalized to all software using glibc, or even to all invocations of gethostbyname*.”


Also in a KB article, they state the following:


“While some VMware products do ship with the vulnerable versions of glibc, based on our current analysis VMware products are not affected by this issue. This conclusion is based on not finding a method to pass untrusted input to the vulnerable glibc function in any VMware product.

VMware products that ship with vulnerable versions of glibc will be updated in upcoming releases in accordance with our security response policy found here.”


So in short, the glibc versions deployed are vulnerable to the exploit, but arbitrary code cannot be passed through. Or VMware Engineering has not found a way to do so yet. So there is no immediate risk known, but they will fix it in the next patch cycle.

Here are the references from VMware:

http://blogs.vmware.com/security/2015/01/vmware-products-ghost-glibc-gethostbyname-buffer-overflow-cve-2015-0235.html

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2105862

http://blogs.vmware.com/security/vmware-security-response-center

How to determine if your VMware appliances have a vulnerable, (but non-exploitable) version of glibc.

1> Log into your appliance.

2> Run the command:

cat /etc/SuSE-release

Review the version against the Novell info for CVE-2015-0235

http://support.novell.com/security/cve/CVE-2015-0235.html

Now sign-up for the VMware security Announcements here:

http://lists.vmware.com/mailman/listinfo/security-announce

As soon as the security patch is released, you will receive and update.

You can also look for new announcements manually here:

http://lists.vmware.com/pipermail/security-announce/2015/date.html

Or get twitter updates on the release:

https://twitter.com/VMwareSRC

Once VMware release the patches, then patch your vCenter server from the web interface as per this KB article:

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2031331

Then update your ESXi hosts from the vSphere Update Manager.

If you want to do manual validation to determine the vulnerability or scope across your enterprise on other (non-VMware) Linux machines, then follow these steps:

Here is a simple C test program for all Linux based servers (distro independent; generic method).

Type the following wget command to download GHOST.C on a Linux based system:

wget bit.ly/ghostcheck

Compile it:

gcc -o GHOST GHOST.c

Test i:

./GHOST

Sample outputs:

Fig. 01: GHOST.c  bug:  A simple way to test if Linux system is secure or not

Advertisements

One thought on “How to determine if your VMware appliances are vulnerable to the GHOST glibc vulnerability

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s