On January 27, 2015, a serious weakness was found within the Linux operating system, which can potentially provide complete control over the compromised system. Now given that Linux is still very popular with smartphones and servers, Indusface Research Team believes that it can be seriously threatening to businesses. Following is a brief guide on all the information you will need on the topic.
CVE-2015-0235 is being called the GHOST Vulnerability as it exploits glibc’s GetHOST functions. It basically affects Linux glibc or GNU C library on versions prior to glibc-2.18. Now, GNU C Library is a core part of the Linux operating system in glibc 2.2 to glibc 2.17. With buffer overflow in glibc function __nss_hostname_digits_dots(), an attacker can exploit the bug even from a remote location with gethostbyname*() functions. Now that the DNS resolver and application are connected, it becomes easier to get an IP address from a hostname. Many Linux distributions including, but not limited to the following may be affected.
As the GHOST vulnerability can be exploited both locally and remotely, it becomes very easy to gain complete control over the compromised system. It has been found that an attacker can bypass almost every protection layer on both 32-bit and 64-bit systems, leaving server prone to all kind of brand and financial damage.
Our existing customers will get an alert through Indusface web application scanning to monitor and defend their server assets. We have updated our scanning vectors to look for the GHOST vulnerability. Here’s how others can look for glibc versions. For Ubuntu and Debian, check out the ldd version: ldd –version Look for the eglibc version in the first line and match it with the following numbers. If yours is older than the following, patching is a must.
For RHEL and CentOS too, look for ldd version. ldd –version You should get the glibc from first line of the result. If it is more recent than 2.18, you do not need to worry. For older versions, patch is necessary.
Indusface Research Team strongly believes that vulnerability is serious and many people are still unaware of the damage it can cause. That is why we are going to wait before we release the in-depth analysis and proof-of-concept when the majority of older systems are patched and not vulnerable to exploitation through GHOST.
Update glibc version using the default package manager for OS. You can contact your license vendor and apply for a patch to get rid of the issue. Once the system has been updated, make sure that you check for the glibc version once again, just to be sure. Our research team is constantly reviewing the developments on the GHOST vulnerability and promises to come up with important details when required. You can also contact us to understand how Indusface web can help detect GHOST and several other vulnerabilities continuously.
Founder & Chief Marketing Officer, Indusface
Venky has played multiple roles within Indusface for the past 6 years. He was instrumental in building the product/service and technology team from scratch and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. He has proven experience (10+ years) in the security industry and has held various mgmt/leadership roles in Product Development, Professional Services, and Sales during his time at Entrust Data card.