とんでもない脆弱性が発表になったようで、時間を割いて早々に事務所の公開サーバのアップデートを行いました
Linuxに深刻なセキュリティホール「GHOST」、今すぐパッチが必要
http://japan.zdnet.com/article/35059585/
読者には、利用しているLinuxシステムを今すぐ、今日中ではなく今すぐに、できるだけ早くアップデートすることをお勧めする
分かりやすい解説はここにありました
glibcのgethostbyname関数に存在するCVE-2015-0235(GHOST)脆弱性について – ワルブリックス株式会社
http://www.walbrix.com/jp/blog/2015-01-ghost.html
公開サーバのOSはCentOS release 5.11 (Final)でkernel 2.6.18-400.1.1.el5.centos.plusです
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 |
[root@host01 ~]# rpm -qa | grep glibc glibc-headers-2.5-123 compat-glibc-headers-2.3.4-2.26 compat-glibc-2.3.4-2.26 glibc-2.5-123 glibc-common-2.5-123 glibc-devel-2.5-123 [root@host01 ~]# /lib/libc.so.6 GNU C Library stable release version 2.5, by Roland McGrath et al. Copyright (C) 2006 Free Software Foundation, Inc. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled by GNU CC version 4.1.2 20080704 (Red Hat 4.1.2-55). Compiled on a Linux 2.6.9 system on 2014-09-16. Available extensions: The C stubs add-on version 2.1.2. crypt add-on version 2.1 by Michael Glad and others GNU Libidn by Simon Josefsson GNU libio by Per Bothner NIS(YP)/NIS+ NSS modules 0.19 by Thorsten Kukuk Native POSIX Threads Library by Ulrich Drepper et al BIND-8.2.3-T5B RT using linux kernel aio Thread-local storage support included. For bug reporting instructions, please see: <http://www.gnu.org/software/libc/bugs.html>. [root@host01 ~]# rpm -q --changelog glibc-2.5-123 | head * 水 8月 27 2014 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.5-123 - Remove gconv transliteration loadable modules support (CVE-2014-5119, - _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475, * 金 4月 18 2014 Patsy Franklin <pfrankli@redhat.com> - 2.5-122 - Fix patch for integer overflows in *valloc and memalign. (CVE-2013-4332,#1011805). * 土 3月 22 2014 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.5-121 - Fix return code when starting an already started nscd daemon (#979413). - Fix getnameinfo for many PTR record queries (#1020486). - Return EINVAL error for negative sizees to getgroups (#995207). |
一応確認に脆弱性確認コードをコンパイルして実行すると脆弱性ありでした
|
1 2 3 4 5 6 |
[root@host01 ~]# gcc -o ghost ghost.c [root@host01 ~]# ls -l ghost* -rwxr-xr-x 1 root root 6633 1月 28 16:37 ghost -rw-r--r-- 1 root root 906 1月 28 16:35 ghost.c [root@host01 ~]# ./ghost vulnerable |
yumでアップデートを行います
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 |
[root@host01 ~]# yum update glibc Loaded plugins: fastestmirror Determining fastest mirrors * addons: ftp.riken.jp * base: ftp.riken.jp * centosplus: ftp.riken.jp * epel: ftp.riken.jp * extras: ftp.riken.jp * remi: rpms.famillecollet.com * updates: ftp.riken.jp addons | 1.9 kB 00:00 addons/primary_db | 1.1 kB 00:00 base | 1.1 kB 00:00 base/primary | 996 kB 00:00 base 2791/2791 centosplus | 1.9 kB 00:00 centosplus/primary_db | 68 kB 00:00 dag | 1.9 kB 00:00 dag/primary_db | 7.3 MB 00:32 epel | 3.7 kB 00:00 epel/primary_db | 2.8 MB 00:01 extras | 2.1 kB 00:00 extras/primary_db | 164 kB 00:00 remi | 2.5 kB 00:00 remi/primary_db | 708 kB 00:03 updates | 1.9 kB 00:00 updates/primary_db | 229 kB 00:00 Setting up Update Process Resolving Dependencies --> Running transaction check --> Processing Dependency: glibc = 2.5-123 for package: glibc-devel --> Processing Dependency: glibc = 2.5-123 for package: glibc-headers --> Processing Dependency: glibc = 2.5-123 for package: nscd ---> Package glibc.i686 0:2.5-123.el5_11.1 set to be updated --> Processing Dependency: glibc-common = 2.5-123.el5_11.1 for package: glibc --> Running transaction check ---> Package glibc-common.i386 0:2.5-123.el5_11.1 set to be updated ---> Package glibc-devel.i386 0:2.5-123.el5_11.1 set to be updated ---> Package glibc-headers.i386 0:2.5-123.el5_11.1 set to be updated ---> Package nscd.i386 0:2.5-123.el5_11.1 set to be updated --> Finished Dependency Resolution Dependencies Resolved ================================================================================ Package Arch Version Repository Size ================================================================================ Updating: glibc i686 2.5-123.el5_11.1 updates 5.4 M Updating for dependencies: glibc-common i386 2.5-123.el5_11.1 updates 16 M glibc-devel i386 2.5-123.el5_11.1 updates 2.1 M glibc-headers i386 2.5-123.el5_11.1 updates 612 k nscd i386 2.5-123.el5_11.1 updates 178 k Transaction Summary ================================================================================ Install 0 Package(s) Upgrade 5 Package(s) Total download size: 25 M Is this ok [y/N]: y Downloading Packages: (1/5): nscd-2.5-123.el5_11.1.i386.rpm | 178 kB 00:00 (2/5): glibc-headers-2.5-123.el5_11.1.i386.rpm | 612 kB 00:00 (3/5): glibc-devel-2.5-123.el5_11.1.i386.rpm | 2.1 MB 00:00 (4/5): glibc-2.5-123.el5_11.1.i686.rpm | 5.4 MB 00:01 (5/5): glibc-common-2.5-123.el5_11.1.i386.rpm | 16 MB 00:01 -------------------------------------------------------------------------------- Total 6.0 MB/s | 25 MB 00:04 Running rpm_check_debug Running Transaction Test Finished Transaction Test Transaction Test Succeeded Running Transaction Updating : glibc-common 1/10 Updating : glibc 2/10 Updating : nscd 3/10 Updating : glibc-headers 4/10 Updating : glibc-devel 5/10 Cleanup : glibc-common 6/10 Cleanup : nscd 7/10 Cleanup : glibc-headers 8/10 Cleanup : glibc-devel 9/10 Cleanup : glibc 10/10 Updated: glibc.i686 0:2.5-123.el5_11.1 Dependency Updated: glibc-common.i386 0:2.5-123.el5_11.1 glibc-devel.i386 0:2.5-123.el5_11.1 glibc-headers.i386 0:2.5-123.el5_11.1 nscd.i386 0:2.5-123.el5_11.1 Complete! [root@host01 ~]# rpm -qa | grep glibc glibc-common-2.5-123.el5_11.1 glibc-devel-2.5-123.el5_11.1 glibc-2.5-123.el5_11.1 compat-glibc-headers-2.3.4-2.26 compat-glibc-2.3.4-2.26 glibc-headers-2.5-123.el5_11.1 [root@host01 ~]# rpm -q --changelog glibc-2.5-123.el5_11.1 | head * 火 1月 20 2015 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.5-123.1 - Fix parsing of numeric hosts in gethostbyname_r (CVE-2015-0235, #1183532). * 水 8月 27 2014 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.5-123 - Remove gconv transliteration loadable modules support (CVE-2014-5119, - _nl_find_locale: Improve handling of crafted locale names (CVE-2014-0475, * 金 4月 18 2014 Patsy Franklin <pfrankli@redhat.com> - 2.5-122 - Fix patch for integer overflows in *valloc and memalign. (CVE-2013-4332,#1011805). |
アップデートが出来てのでサーバを再起動します
公開サーバだと諸般の事情でなかなか再起動は難しいかもしれませんが、そうは言っていられません
再起動後に脆弱性確認プログラムで確認してみます
|
1 2 |
[root@host01 ~]# ./ghost not vulnerable |
対応完了(^_^)v
いつも、修正プログラムを提供して下さる皆様に本当に感謝です
【追記】
glibcに依存するプログラムの確認には下記のコマンドを実行すればいいようです
Critical glibc update (CVE-2015-0235) in gethostbyname() calls
http://ma.ttias.be/critical-glibc-update-cve-2015-0235-gethostbyname-calls/
To find all the services that rely on the glibc libraries, run the following command. It will list all open files (lsof) and find the files that refer to the glibc libraries.
httpd,namedはもちろんsshdなども依存していたので公開サーバは一刻も早くアップデートした方がいいでしょう
【追記 2014/01/29】
かなりニアンスが弱まっていますね
Linuxに存在する脆弱性「GHOST」、システム管理者は落ち着いて対処を | トレンドマイクロ セキュリティブログ
http://blog.trendmicro.co.jp/archives/10818