First off, what is the GHOST vulnerability? It’s short for the “gethostbyname” glibc function calls.
So what does it allow? A remote attacker whom is able to make an application call to either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.
How do you know if your VMware infrastructure is vulnerable?
According to VMware, some of the current VMware products may have a vulnerable version of glibc, but they are non-exploitable.
See this note from VMware:
“We quickly realized that exploitability of this vulnerability depends on where and how the vulnerable function is invoked. In particular, if an attacker cannot control the arguments passed to the gethostbyname* functions, then the overflow cannot be triggered. Suffice it to say, the applicability of this vulnerability to the Exim mail server, cannot be generalized to all software using glibc, or even to all invocations of gethostbyname*.”
Also in a KB article, they state the following:
“While some VMware products do ship with the vulnerable versions of glibc, based on our current analysis VMware products are not affected by this issue. This conclusion is based on not finding a method to pass untrusted input to the vulnerable glibc function in any VMware product.
VMware products that ship with vulnerable versions of glibc will be updated in upcoming releases in accordance with our security response policy found here.”
So in short, the glibc versions deployed are vulnerable to the exploit, but arbitrary code cannot be passed through. Or VMware Engineering has not found a way to do so yet. So there is no immediate risk known, but they will fix it in the next patch cycle.
Here are the references from VMware:
How to determine if your VMware appliances have a vulnerable, (but non-exploitable) version of glibc.
1> Log into your appliance.
2> Run the command:
Review the version against the Novell info for CVE-2015-0235
Now sign-up for the VMware security Announcements here:
As soon as the security patch is released, you will receive and update.
You can also look for new announcements manually here:
Or get twitter updates on the release:
Once VMware release the patches, then patch your vCenter server from the web interface as per this KB article:
Then update your ESXi hosts from the vSphere Update Manager.
If you want to do manual validation to determine the vulnerability or scope across your enterprise on other (non-VMware) Linux machines, then follow these steps:
Here is a simple C test program for all Linux based servers (distro independent; generic method).
Type the following wget command to download GHOST.C on a Linux based system:
gcc -o GHOST GHOST.c