As I expected the flow of security bugs continues this year. Now first serious open source bug disclosed this year following last year’s Heartbleed bug in OpenSSL, the Shellshock bug in Bash and the POODLE bug related to the the SSL v3 fall back issue.
The GHOST vulnerability is a serious weakness in the Linux glibc library. Glibc or the GNU C Library is the most common and an open-source form of the C Standard Library, and part of Linux. The GHOST vulnerability allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.
GHOST has been traced back to a buffer overflow flaw in the the __nss_hostname_digits_dots() function of glibc, otherwise known as GNU C Library, a core part of nearly all Linux systems, according to Qualys’ Amol Sarwate. CVE 2015-023: Nasty bug in glibc gethostby* functions leads to possible wealth of remote code execution opportunities. The GHOST vulnerability is a serious weakness in the Linux glibc library as it allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. GHOST means attackers could take over Linux servers using something as innocent looking as an email. This comes on the heel of other major vulnerabilities with silly names such as Shellshock, Heartbleed, and POODLE.
It seems that the the bug has existed for a little more than 14 years (the first vulnerable version of the GNU C Library affected by this is glibc-2.2, released on November 10, 2000). Or actually it existed for 12.5 years, it was patched in 2013 (glibc 2.17 and before vulnerable). The issue has not been widely fixed because stable-distributions didn’t want to update glibc when there were no known security issues. Not there is. And update storm is starting.
More details can be found in this advisory or in the YouTube interview below.
Many Linux distributions are potentially vulnerable to GHOST and should be patched. The easiest way to test if your servers are vulnerable to GHOST is to check the version of glibc that is in use with the following command:
If the version of glibc is older than
2.18, your system is vulnerable to GHOST and should be updated. If you are using 2.18 or later, you are safe from the vulnerability.
The vulnerability was been already fixed on most newer versions of Linux distributions. However, it remains a threat to users of stable and older Long Term Support (LTS) releases where the bug remains. With Linux, the old adage of “if it’s not broke, don’t fix it” generally applies, especially for businesses.
If you are using an affected distro, don’t panic. Simply update your system as patches should be available now. For major current Linux distributions where there is update package available and the systems can be booted, this would be just another update process (for example for RHEL). Update and restart is likely easier than trying to figure out every service that calls glibc. It is highly recommended that you update and reboot all of your affected Linux servers. The easiest way to fix the GHOST vulnerability is to use your default package manager to update the version of glibc.
In case you have an older distribution where there is no ready update packet or you are running a critical system that should not be stopped and needs heavy testing process before update can be accepted for use, things are harder for you. If you have a vulnerable embedded Linux device you might not be able to get update any time soon, or ever. Just imagine all the network devices built since 2000 that will never be updated… Most probably don’t run glibc, but there will be many that do.
Thankfully, Qualsys hasn’t released a working version of the hack yet. They’re waiting until half of all Linux servers are updated, and then are releasing it to force the hand of the remaining half. That seems punitive and reckless to put the straggling updaters at risk, but that’s how they roll in INFOSEC