A GHOST in the….Linux….Wires

Our partner Qualys discovered a new vulnerability nick-named “GHOST” (called as such because it can be triggered by the GetHOST functions) and worked with most of the Linux operating system distributions to patch it as of January 27th 2015.  The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials.

global ghost

Quays released this advisory today as a coordinated effort, and patches for all distribution are available January 27, 2015.

The GNU C Library or glibc is an implementation of the standard C library and a core part of the Linux operating system. Without this library a Linux system will not function. The vulnerability is a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address, so every time a hostname is resolved locally, the vulnerability can be triggered.

The risk associated with this vulnerability is that an attacker who exploits this issue can gain complete control of the compromised system.

Based on the advisory mentioned above (https://www.openwall.com/lists/oss-security/2015/01/27/9) describes how the researchers achieved a remote code execution in the mail server exim. Many other linux applications are vulnerable though because they call to the same vulnerable function.

Qualys developed a proof-of-concept for this vulnerability in which they sent a specially created e-mail to an mail server and they were able to get a remote shell to the Linux machine. This bypasses all existing protections (like ASLR, PIE and NX) on both 32-bit and 64-bit systems.

The best way to mitigate the above-mentioned risk is to apply a patch from your Linux vendors.

The first vulnerable version of the GNU C Library affected by this is glibc-2.2, released on November 10, 2000. A number of factors that mitigate the impact of this bug have been identified. In particular, it was discovered that the bug was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example.

So as the time of writing, most of Linux distributions have released a patch for this critical vulnerability. The vulnerability can be exploited remotely, so this fact makes highly critical. Plus most of the Internet-exposed services requires some sort of name resolution. As in the example above, sending an email to an email server containing a specially crafted hostname could trigger the vulnerability allowing a reverse shell to be spawn.

My suggestion: cloud-based Linux Internet exposed servers should be patched immediately! It’s “Heartbleed” time all over again!