GLIBC GHOST vulnerability and do we need to reboot

A new remote zero-day security vulnerability has been discovered in the glibc under CVE-2015-0235. This vulnerability allows attackers to remotely access some vulnerable Linux-based systems without the use of compromised passwords or other user credentials. Once in the system, attackers could leverage other vulnerabilities to escalate privileges until they gain root access.

A glibc patch has been released to address this issue and we have already updated public and private hosting servers. There is quite a buzz around the question if a server should be rebooted after the patch. The great guys from CloudLinux have already answered this question in a quite informative and straight forward way in their blog post.

For informational purposes, we decided to share their conclusion:

First of all – no all services that use glibc need to be restarted. Only services that use gethostbyname. That function is used to resolve internet host name to IP address. Now, to exploit this function, attacker needs to be able to able to feed specially crafted ‘host name’ to the service. And service needs to process it without validating it first. That is not a common condition. For example /sbin/init, while using glibc will not be exploitable at all using such bug. So, no need to restart it.

So, what can be potentially exploitable, and should be restart:

  1. Exim: only when it is configured to resolve remote host name. Restart it.
  2. Apache – apache itself is not exploitable, but some modules might be checking remote hosts – so, why not restart it. You should also restart php FPM, mod_lsapi daemon if you are running it in self_starter mode. Restart it just in case
  3. LiteSpeed – restart it just in case.
  4. Nginx – it is not vulnerable, and most common configurations I have seen on shared hosts will not be vulnerable as well – but given how cheap it is to restart it – restart it.
  5. cPanel (or your favorite brand of control panel) – yes, worth it, including cpHulkd. They might be not vulnerable at all – but with closed source software – you never know, and such restart is once again – cheap.
  6. PostgreSQL – we don’t really know, so restart it just in case.
  7. OpenSSH – it is considered safe, but if you want to be really safe – restarting openssh doesn’t require any server downtime.
  8. Postfix/sendmail – most likely it is safe, but same as with OpenSSH – restarting it doesn’t take much.

Proftpd, pure-ftpd,vsftpd,xinetd, tcp_wrappers, rsyslogd,mysql/mariadb – are all considered safe – but should be easy to restart if you feel like it.

We already took the necessary actions to address the issue so you can rest assured that your hosting accounts and server is safe.

Christopher

Christopher has many years of experience leading teams in the fields of Technical support, Server Administration, and Product Development. He mainly works on the backend, helping to create the infrastructure that powers FastComet. He is responsible for flawless migrations and quick and efficient answers to client questions. He also monitors our network status and jumps in to solve time-sensitive issues like DDoS attacks and stops malicious attempts in their tracks. Christopher’s primarily responsible for making sure that our servers purr along, and has worked tirelessly to improve automation at FastComet.