- Jun 9, 2013
- 6,720
Researchers at cloud security company Qualys have discovered a major security hole, GHOST (CVE-2015-0235), in the Linux GNU C Library (glibc). This vulnerability enables hackers to remotely take control of systems without even knowing any system IDs or passwords.
Qualys alerted the major Linux distributors about the security hole quickly and most have now released patches for it. Josh Bressers, manager of the Red Hat product security team said in an interview that, "Red Hat got word of this about a week ago. Updates to fix GHOST on Red Hat Enterprise Linux (RHEL)5, 6, and 7 are now available via the Red Hat Network."
This hole exists in any Linux system that was built with glibc-2.2, which was released on November 10, 2000. Qualys found that the bug had actually been patched with a minor bug fix released on May 21, 2013 between the releases of glibc-2.17 and glibc-2.18.
Must See Gallery
Five antivirus scanners for Mac
Think you don't need an antivirus scanner for your Mac? Get your head out of the sand and get protected!
However, this fix was not classified as a security problem, and as a result, many stable and long-term-support distributions are wide open today. Linux systems that are liable to attack include Debian 7 (Wheezy), RHEL 5, 6, and 7, CentOS 6 and 7 and Ubuntu 12.04. Besides Red Hat's fix, Debian is currently repairing its core distributions, Ubuntu has patched the bug both for 12.04 and the older 10.04, and I'm told the patches are on their way for CentOS.
The security hole can be triggered by exploiting glibc'sgethostbyname functions. This function is used on almost all networked Linux computers when the computer is called on to access another networked computer either by using the /etc/hosts files or, more commonly, by resolving an Internet domain name with Domain Name System (DNS).
To exploit this vulnerability, all an attacker needs to do is trigger a buffer overflow by using an invalid hostname argument to an application that performs a DNS resolution. This vulnerability then enables a remote attacker to execute arbitrary code with the permissions of the user running DNS. In short, once an attacker has exploited GHOST they may be capable of taking over the system.
"GHOST poses a remote code execution risk that makes it incredibly easy for an attacker to exploit a machine. For example, an attacker could send a simple email on a Linux-based system and automatically get complete access to that machine," said Wolfgang Kandek, Qualys's CTO in a statement. "Given the sheer number of systems based on glibc, we believe this is a high severity vulnerability and should be addressed immediately. The best course of action to mitigate the risk is to apply a patch from your Linux vendor."
Unlike some security announcements, Kandek is not crying wolf. Qualys has developed a proof-of-concept in which simply sending a specially created e-mail to a mail server enabled them to create a remote shell to the Linux machine. According to Qualys, "This bypasses all existing protections (like ASLR, PIE and NX) on both 32-bit and 64-bit systems."
My advice to you is to now, not later today, now, update your Linux system as soon as possible. After patching it, you should then reboot the system. I know for Linux it's rarely needed to reboot, but since gethostbyname is called on by so many core processes, such as auditd, dbus-daem, dhclient, init, master, mysqld, rsyslogd, sshd, udevd, and xinetd, you want to make absolutely sure that all your system's running programs are using the patched code.
Qualys alerted the major Linux distributors about the security hole quickly and most have now released patches for it. Josh Bressers, manager of the Red Hat product security team said in an interview that, "Red Hat got word of this about a week ago. Updates to fix GHOST on Red Hat Enterprise Linux (RHEL)5, 6, and 7 are now available via the Red Hat Network."
This hole exists in any Linux system that was built with glibc-2.2, which was released on November 10, 2000. Qualys found that the bug had actually been patched with a minor bug fix released on May 21, 2013 between the releases of glibc-2.17 and glibc-2.18.
Must See Gallery
Five antivirus scanners for Mac
Think you don't need an antivirus scanner for your Mac? Get your head out of the sand and get protected!
However, this fix was not classified as a security problem, and as a result, many stable and long-term-support distributions are wide open today. Linux systems that are liable to attack include Debian 7 (Wheezy), RHEL 5, 6, and 7, CentOS 6 and 7 and Ubuntu 12.04. Besides Red Hat's fix, Debian is currently repairing its core distributions, Ubuntu has patched the bug both for 12.04 and the older 10.04, and I'm told the patches are on their way for CentOS.
The security hole can be triggered by exploiting glibc'sgethostbyname functions. This function is used on almost all networked Linux computers when the computer is called on to access another networked computer either by using the /etc/hosts files or, more commonly, by resolving an Internet domain name with Domain Name System (DNS).
To exploit this vulnerability, all an attacker needs to do is trigger a buffer overflow by using an invalid hostname argument to an application that performs a DNS resolution. This vulnerability then enables a remote attacker to execute arbitrary code with the permissions of the user running DNS. In short, once an attacker has exploited GHOST they may be capable of taking over the system.
"GHOST poses a remote code execution risk that makes it incredibly easy for an attacker to exploit a machine. For example, an attacker could send a simple email on a Linux-based system and automatically get complete access to that machine," said Wolfgang Kandek, Qualys's CTO in a statement. "Given the sheer number of systems based on glibc, we believe this is a high severity vulnerability and should be addressed immediately. The best course of action to mitigate the risk is to apply a patch from your Linux vendor."
Unlike some security announcements, Kandek is not crying wolf. Qualys has developed a proof-of-concept in which simply sending a specially created e-mail to a mail server enabled them to create a remote shell to the Linux machine. According to Qualys, "This bypasses all existing protections (like ASLR, PIE and NX) on both 32-bit and 64-bit systems."
My advice to you is to now, not later today, now, update your Linux system as soon as possible. After patching it, you should then reboot the system. I know for Linux it's rarely needed to reboot, but since gethostbyname is called on by so many core processes, such as auditd, dbus-daem, dhclient, init, master, mysqld, rsyslogd, sshd, udevd, and xinetd, you want to make absolutely sure that all your system's running programs are using the patched code.
