All you need to know about Ghost Vulnerability
January 30, 2015
On January 27, 2015, a serious weakness was found within the Linux operating system, which can potentially provide complete control over the compromised system. Now given that Linux is still very popular with smartphones and servers, Indusface Research Team believes that it can be seriously threatening to businesses. Following is a brief guide on all the information you will need on the topic.
CVE-2015-0235 Basics
CVE-2015-0235 is being called the GHOST Vulnerability as it exploits glibc’s GetHOST functions. It basically affects Linux glibc or GNU C library on versions prior to glibc-2.18. Now, GNU C Library is a core part of the Linux operating system in glibc 2.2 to glibc 2.17. With buffer overflow in glibc function __nss_hostname_digits_dots(), an attacker can exploit the bug even from a remote location with gethostbyname*() functions. Now that the DNS resolver and application are connected, it becomes easier to get an IP address from a hostname. Many Linux distributions including, but not limited to the following may be affected.
- Debian 7
- CentOS 6 & 7
- Ubuntu 10.04 & 12.04
- Red Hat Enterprise Linux 6 & 7
- End of Life Linux Distributions
Risk Analysis
As the GHOST vulnerability can be exploited both locally and remotely, it becomes very easy to gain complete control over the compromised system. It has been found that an attacker can bypass almost every protection layer on both 32-bit and 64-bit systems, leaving the server prone to all kinds of brand and financial damage.
Affected Operating Systems
Our existing customers will get an alert through Indusface web application scanning to monitor and defend their server assets. We have updated our scanning vectors to look for the GHOST vulnerability. Here’s how others can look for glibc versions. For Ubuntu and Debian, check out the ldd version: ldd –version Look for the eglibc version in the first line and match it with the following numbers. If yours is older than the following, patching is a must.
- Debian 7 LTS: 2.13-38+deb7u7
- Ubuntu 10.04 LTS: 2.11.1-0ubuntu7.20
- Ubuntu 12.04 LTS: 2.15-0ubuntu10.10
For RHEL and CentOS too, look for ldd version. ldd –version You should get the glibc from first line of the result. If it is more recent than 2.18, you do not need to worry. For older versions, patch is necessary.
Proof-of-concept?
Indusface Research Team strongly believes that vulnerability is serious and many people are still unaware of the damage it can cause. That is why we are going to wait before we release the in-depth analysis and proof-of-concept when the majority of older systems are patched and not vulnerable to exploitation through GHOST.
Mitigation
Update glibc version using the default package manager for OS. You can contact your license vendor and apply for a patch to get rid of the issue. Once the system has been updated, make sure that you check for the glibc version once again, just to be sure. Our research team is constantly reviewing the developments on the GHOST vulnerability and promises to come up with important details when required. You can also contact us to understand how Indusface web can help detect GHOST and several other vulnerabilities continuously.
You can start with the AppTrana Free Forever Website Security Scan to find out how it works.
Stay tuned for more relevant and interesting security articles. Follow Indusface on Facebook, Twitter, and LinkedIn.
