On January 27, 2015, a serious weakness was found within the Linux operating system, which can potentially provide complete control over compromised system. Now given that Linux is still very popular with smartphones and servers, Indusface Research Team believes that it can be seriously threatening to businesses. Following is a brief guide on all the information you will need on the topic.

CVE-2015-0235 Basics

CVE-2015-0235 is being called the GHOST Vulnerability as it exploits glibc’s GetHOST functions. It basically affects Linux glibc or GNU C library on versions prior to glibc-2.18. Now, GNU C Library is a core part of the Linux operating system in glibc 2.2 to glibc 2.17. With buffer overflow in glibc function __nss_hostname_digits_dots(), an attacker can exploit the bug even from a remote location with gethostbyname*() functions. Now that the DNS resolver and application are connected, it becomes easier to get IP address from a hostname. Many Linux distributions including, but not limited to the following may be affected.

  • Debian 7
  • CentOS 6 & 7
  • Ubuntu 10.04 & 12.04
  • Red Hat Enterprise Linux 6 & 7
  • End of Life Linux Distributions

Risk Analysis

As the GHOST vulnerability can be exploited both locally and remotely, it becomes very easy to gain complete control over the compromised system. It has been found that an attacker can bypass almost every protection layer on both 32-bit and 64-bit systems, leaving server prone to all kind of brand and financial damage.

Affected Operating Systems

Our existing customers will get an alert through IndusGuard WEB scanning to monitor and defend their server assets. We have updated our scanning vectors to look for the GHOST vulnerability. Here’s how others can look for glibc versions. For Ubuntu and Debian, check out the ldd version: ldd –version   Look for the eglibc version in the first line and match it with the following numbers. If yours is older than the following, patching is must.

  • Debian 7 LTS: 2.13-38+deb7u7
  •  Ubuntu 10.04 LTS: 2.11.1-0ubuntu7.20
  • Ubuntu 12.04 LTS: 2.15-0ubuntu10.10

For RHEL and CentOS too, look for ldd version. ldd –version   You should get the glibc from first line of the result. If it is more recent than 2.18, you do not need to worry. For older versions, patch is necessary.

Proof-of-concept?

Indusface Research Team strongly believes that vulnerability is serious and many people are still unaware of the damage it can cause. That is why we are going wait before we release the in-depth analysis and proof-of-concept when majority of older systems are patched and not vulnerable to exploitation through GHOST.

Mitigation

Update glibc version using default package manager for OS. You can contact your license vendor and apply for a patch to get rid of the issue. Once the system has been updated, make sure that you check for the glibc version once again, just to be sure. Our research team is constantly reviewing the developments on the GHOST vulnerability and promises to come up with important details when required. You can also contact us to understand how IndusGuard WEB can help detect GHOST and several other vulnerabilities continuously.

Founder & Chief Marketing Officer, Indusface

Venky has played multiple roles within Indusface for the past 6 years. Prior to this, as the CTO @indusface, Venky built the product/service offering and technology team from scratch, and grew it from ideation to getting initial customers with a proven/validated business model poised for scale. Before joining Indusface, Venky had 10+ years of experience in security industry and had held various mgmt/leadership roles in Product Development, Professional Services and Sales @Entrust.