Remotely exploitable ‘GHOST’ bug strikes all Linux distros

Researchers have discovered a serious vulnerability affecting multiple distributions of the Linux OS. While there are patches available the clean up effort is likely to going be a major task for Linux admins.

A round of patches were released today to fix a critical Linux bug, dubbed GHOST, which is a remotely exploitable flaw in Linux distributions and could allow an attacker to take control of a vulnerable Linux machine.

The bug was discovered during a code review by vulnerability management firm Qualys. The company said that it had developed a proof of concept (PoC) attack “in which we send a specially created e-mail to a mail server and can get a remote shell to the Linux machine”. In other words, the risk will become very real when the company releases the exploit, which it plans to do in coming months.

The reason they’ve called the bug GHOST, which has been assigned CVE-2015-0235, is that it can be triggered by GetHOST functions.

It’s the first serious open source bug disclosed this year following last year’s Heartbleed bug in OpenSSL, the Shellshock bug in Bash and the POODLE bug related to the the SSL v3 fall back issue. Each of the bugs took months to clean up and in the case of Heartbleed, it may still not be fully remedied.

GHOST has been traced back to a buffer overflow flaw in the the __nss_hostname_digits_dots() function of glibc, otherwise known as GNU C Library, a core part of nearly all Linux systems, according to Qualys’ Amol Sarwate.

Without this library a Linux system will not function,” he said in a write up on the GHOST flaw.

“This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address,” he added

A more detailed analysis of the bug, including information about mitigating factors and a description of GHOST’s exploitation is provided in the official advisory from Openwall.

Read more: Ubuntu maker System76 ditches Flash because “security, security, security”

Major Linux distributions affected include multiple versions of Debian, Red Hat Enterprise Linux, CentOS and Ubuntu.

Qualys said there were additional “potential targets”, however it hasn’t confirmed that the buffer overflow can be triggered in them. These include apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql, nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd, pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers, vsftpd, xinetd.

According to Qualys’ Sarwate, GHOST has been residing in the GNU C Library since 2000, when glibc-2.2 was released.

Oddly, the bug was fixed on May 21, 2013 with the release of glibc-2.17 and glibc-2.18, said Sarwate, however since it was not recognised at the time as a security threat, it remained in the systems being patched today.

This article is brought to you by Enex TestLab, content directors for CSO Australia.

Upcoming IT Security Events

Feb 3rd, Feb 4th, Feb 6th 2015

Join @NirZuk #PaloAltoNetworks for Breakfast (lunch in Auckland) on keeping your enterprise safe from risk. Cyber attacks continue to increase in volume and sophistication leaving traditional security practices completely ineffective. 

Register Today Seats are limited

March 3rd, March 5th, March 9th 2015

Join CSO for the day@#csoperspectives and hear from @kimzetter @LeviathanSec

3 International Keynote speakers, 36 Key IT Security Industry Speaker, 21 Exhibitors, Security Analysts and many more.. Register today

Dont miss one of the biggest IT Security events in ANZ (registration is free, but seats are limited)

Tags Enex TestLabubuntusambaqualysvulnerability managementGhostcode reviewSendmailCSO Australiaserious vulnerabilityQualys’ Amol Sarwatevsftpdsyslog-ngOpenwalltcp_wrappersCVE-2015-0235Linux distrosPoC) attacksysklogdGetHOST‘GHOST’ bug

Show Comments