GHOST: Difference between revisions
(Initial page) |
(Change enumeration for numerated list) |
||
| (5 intermediate revisions by 3 users not shown) | |||
| Line 14: | Line 14: | ||
= Update procedure = | = Update procedure = | ||
The operator can use one of the two methods available: GUI/WebPortal or command line interface. | |||
== WebPortal - TMG unit or Linux server '''with access to Internet''' (i.e. with DNS configured) == | |||
# login onto the WebPortal | |||
# Select the 'Hosts' section | |||
# Click on the hostname | |||
# Click on the 'Status' tab | |||
# Select 'Upgrade Linux packages' into the host 'Action' | |||
# Click on the 'Apply action' button | |||
# Refresh the page until the packages are updated as indicated in the 'Action Log' (you may use the 'Now' button to update the page). The results should appear within a minute. | |||
# Select 'Shutdown' into the host 'Action' | |||
# Select 'Reboot' into the 'Shutdown Type' | |||
# Click on the 'Apply action' button | |||
# Repeat the process for all hosts listed | |||
== Command line interface == | |||
* login with root account | * login with root account | ||
[root@TB011107 ~]# uname -m | [root@TB011107 ~]# uname -m | ||
x86_64 | x86_64 | ||
* If the result is not "x86_64", [[Support:Contacting TelcoBridges technical support|please contact TelcoBridges]] support, otherwise you can proceed with either method below. | * If the result is not "x86_64", [[Support:Contacting TelcoBridges technical support|please contact TelcoBridges]] support, otherwise you can proceed with either method below. | ||
* Follow one of the two options depending if Internet is accessible from the unit | |||
=== Option #1 - TMG unit or Linux server '''with access to Internet''' (i.e. with DNS configured) === | |||
* update OS packages with yum | * update OS packages with yum | ||
yum clean all | yum clean all | ||
| Line 27: | Line 45: | ||
reboot | reboot | ||
== TMG unit or Linux server '''without access to Internet''' == | === Option #2 - TMG unit or Linux server '''without access to Internet''' === | ||
* download the following packages to your PC: | * download the following packages to your PC: | ||
** http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/glibc-2.5-123.el5_11.1.x86_64.rpm | ** http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/glibc-2.5-123.el5_11.1.x86_64.rpm | ||
| Line 49: | Line 67: | ||
* login with root account | * login with root account | ||
* execute the following to create a test script | * execute the following to create a test script | ||
cat | cat > rhel-GHOST-test.sh << FOF | ||
#!/bin/bash | #!/bin/bash | ||
# rhel-GHOST-test.sh - GHOST vulnerability tester. Only for CentOS/RHEL based servers. # | # rhel-GHOST-test.sh - GHOST vulnerability tester. Only for CentOS/RHEL based servers. # | ||
| Line 57: | Line 75: | ||
rv=0 | rv=0 | ||
for glibc_nvr in $( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do | for glibc_nvr in \$( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do | ||
glibc_ver=$( echo "$glibc_nvr" | awk -F- '{ print $2 }' ) | glibc_ver=\$( echo "\$glibc_nvr" | awk -F- '{ print \$2 }' ) | ||
glibc_maj=$( echo "$glibc_ver" | awk -F. '{ print $1 }') | glibc_maj=\$( echo "\$glibc_ver" | awk -F. '{ print \$1 }') | ||
glibc_min=$( echo "$glibc_ver" | awk -F. '{ print $2 }') | glibc_min=\$( echo "\$glibc_ver" | awk -F. '{ print \$2 }') | ||
echo -n "- $glibc_nvr: " | echo -n "- \$glibc_nvr: " | ||
if [ "$glibc_maj" -gt 2 | if [ "\$glibc_maj" -gt 2 -o \( "\$glibc_maj" -eq 2 -a "\$glibc_min" -ge 18 \) ]; then | ||
# fixed upstream version | # fixed upstream version | ||
echo 'not vulnerable' | echo 'not vulnerable' | ||
else | else | ||
# all RHEL updates include CVE in rpm %changelog | # all RHEL updates include CVE in rpm %changelog | ||
if rpm -q --changelog "$glibc_nvr" | grep -q 'CVE-2015-0235'; then | if rpm -q --changelog "\$glibc_nvr" | grep -q 'CVE-2015-0235'; then | ||
echo "not vulnerable" | echo "not vulnerable" | ||
else | else | ||
| Line 78: | Line 95: | ||
done | done | ||
if [ $rv -ne 0 ]; then | if [ \$rv -ne 0 ]; then | ||
cat <<EOF | cat <<EOF | ||
This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235> | |||
Please refer to <https://access.redhat.com/articles/1332213> for remediation steps | |||
EOF | |||
fi | fi | ||
exit $rv | exit \$rv | ||
FOF | FOF | ||
* Execute the script | * Execute the script | ||
| Line 92: | Line 110: | ||
./rhel-GHOST-test.sh | ./rhel-GHOST-test.sh | ||
* '''You should not see the 'vulnerable' string displayed''' | * '''You should not see the 'vulnerable' string displayed''' | ||
= Verify system timezone = | |||
We found that some systems got the timezone reset to EST time after the GHOST patch procedures | |||
* Verify the timezone on the system | |||
date | |||
If it differs from the original, reset the timezone using the [[TMG:Change_Time_Zone|tbtimezone]] script. | |||
= References = | = References = | ||
Latest revision as of 11:28, 20 July 2015
On January 27, 2015, a vulnerability named "GHOST" in the glibc library was publicly announced. GHOST is also referred as CVE-2015-0235. The vulnerability is a buffer overflow in the gethostbyname family of functions that can allow arbitrary code execution.
Affected Products
- TMG800, TMG3200, TMG7800-CTRL
- Tdev Linux server with (CentOS, RedHat, etc) running Toolpack software
Details
The impact of this vulnerability on TelcoBridges products depends on their configuration. The vulnerability may only be triggered through requests for domain name resolution. Therefore, only units that enable such services may be exposed to the issue.
Software Versions and Fixes
The TelcoBridges CentOS 5 repository has been updated with the latest glibc version. Services that use glibc must be restarted. Because glibc is thoroughly used in the Linux operating system, it is highly recommended to reboot the unit.
Update procedure
The operator can use one of the two methods available: GUI/WebPortal or command line interface.
WebPortal - TMG unit or Linux server with access to Internet (i.e. with DNS configured)
- login onto the WebPortal
- Select the 'Hosts' section
- Click on the hostname
- Click on the 'Status' tab
- Select 'Upgrade Linux packages' into the host 'Action'
- Click on the 'Apply action' button
- Refresh the page until the packages are updated as indicated in the 'Action Log' (you may use the 'Now' button to update the page). The results should appear within a minute.
- Select 'Shutdown' into the host 'Action'
- Select 'Reboot' into the 'Shutdown Type'
- Click on the 'Apply action' button
- Repeat the process for all hosts listed
Command line interface
- login with root account
[root@TB011107 ~]# uname -m x86_64
- If the result is not "x86_64", please contact TelcoBridges support, otherwise you can proceed with either method below.
- Follow one of the two options depending if Internet is accessible from the unit
Option #1 - TMG unit or Linux server with access to Internet (i.e. with DNS configured)
- update OS packages with yum
yum clean all yum update
- reboot the unit
reboot
Option #2 - TMG unit or Linux server without access to Internet
- download the following packages to your PC:
- http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/glibc-2.5-123.el5_11.1.x86_64.rpm
- http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/glibc-common-2.5-123.el5_11.1.x86_64.rpm
- http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/glibc-devel-2.5-123.el5_11.1.x86_64.rpm
- http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/glibc-headers-2.5-123.el5_11.1.x86_64.rpm
- http://repo.telcobridges.com/centos/5.7/updates/x86_64/RPMS/nscd-2.5-123.el5_11.1.x86_64.rpm
- Using WinSCP or similar tool, upload the files to the TMG unit using the root account
- login with root account
- Install packages
yum localinstall glibc-2.5-123.el5_11.1.x86_64.rpm \ glibc-common-2.5-123.el5_11.1.x86_64.rpm \ glibc-devel-2.5-123.el5_11.1.x86_64.rpm \ glibc-headers-2.5-123.el5_11.1.x86_64.rpm \ nscd-2.5-123.el5_11.1.x86_64.rpm
- Note: that operation might take a long time since yum will probably experience timeouts when trying to access the external repositories.
- Reboot the unit
reboot
How to verify if the vulnerability is fixed?
- login with root account
- execute the following to create a test script
cat > rhel-GHOST-test.sh << FOF #!/bin/bash # rhel-GHOST-test.sh - GHOST vulnerability tester. Only for CentOS/RHEL based servers. # # Version 3 # Credit : Red Hat, Inc - https://access.redhat.com/labs/ghost/ # echo "Installed glibc version(s)" rv=0 for glibc_nvr in \$( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do glibc_ver=\$( echo "\$glibc_nvr" | awk -F- '{ print \$2 }' ) glibc_maj=\$( echo "\$glibc_ver" | awk -F. '{ print \$1 }') glibc_min=\$( echo "\$glibc_ver" | awk -F. '{ print \$2 }') echo -n "- \$glibc_nvr: " if [ "\$glibc_maj" -gt 2 -o \( "\$glibc_maj" -eq 2 -a "\$glibc_min" -ge 18 \) ]; then # fixed upstream version echo 'not vulnerable' else # all RHEL updates include CVE in rpm %changelog if rpm -q --changelog "\$glibc_nvr" | grep -q 'CVE-2015-0235'; then echo "not vulnerable" else echo "vulnerable" rv=1 fi fi done if [ \$rv -ne 0 ]; then cat <<EOF This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235> Please refer to <https://access.redhat.com/articles/1332213> for remediation steps EOF fi exit \$rv FOF
- Execute the script
chmod +x rhel-GHOST-test.sh ./rhel-GHOST-test.sh
- You should not see the 'vulnerable' string displayed
Verify system timezone
We found that some systems got the timezone reset to EST time after the GHOST patch procedures
- Verify the timezone on the system
date
If it differs from the original, reset the timezone using the tbtimezone script.