IT Blogwatch Security

GHOST: Most Linux servers have a horrible, horrible vulnerability (in glibc)

GNU's Not Un-vulnerable [You're fired -Ed.]

IT Blogwatch Security

Show More

Time to patch and reboot. Another nasty open-source security hole. Another silly name. And this one's a doozy: GHOST affects the vast majority of 'stable' Linux servers on the Internet, thanks to a bug in glibc.

But why GHOST? GetHOSTbyname(). Geddit?

In IT Blogwatch, bloggers get it.

Your humble blogwatcher curated these bloggy bits for your entertainment.

Jeremy Kirk misuses a mass noun:

A fault in a widely used component of most Linux distributions could allow an attacker to take remote control of a system after merely sending a malicious email.

It is one of many issues found over the last year in open-source software components, including Heartbleed, Poodle and Shellshock.  MORE

And Dan Goodin says it "could spark a lot of collateral damage":

An extremely critical vulnerability affecting most Linux distributions gives attackers the ability to execute malicious code on servers. [It] represents a major Internet threat, in some ways comparable to...Heartbleed and Shellshock.

The bug, which is being dubbed "Ghost"...has the...designation of CVE-2015-0235. While a patch was issued two years ago, most Linux versions used in production systems remain unprotected. ... A remote attacker...could exploit the flaw to execute arbitrary code with the permissions of the [daemon]...bypass[ing] all existing exploit protections available on both 32-bit and 64-bit systems, including address space layout randomization, position independent executions, and no execute protections.

Linux systems should be presumed vulnerable unless they run an alternative to glibc or use a glibc version that contains the update. ... Word of the vulnerability appears to have caught developers of the Ubuntu, Debian, and Red Hat distributions of Linux off guard.  MORE

Wolfgang Kandek, Alexander Peslyak and friends go into detail:

During a code audit...we discovered a buffer overflow in the __nss_hostname_digits_dots() function. ... As a proof of concept, we developed a full-fledged remote exploit against the Exim mail server.

The first vulnerable version of the GNU C Library is glibc-2.2, released on November 10, 2000. ... Most stable and long-term-support distributions [are] exposed [including] Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04.  MORE

Mattias Geniar agrees -- it's "very serious":

This is major. The gethostbyname() calls can often be triggered remotely for applications that do any kind of DNS resolving.

Just like the recent OpenSSL heartbleed bug, this will be an annoying one to fix. The update is in the glibc package, but that's a set of libraries that are being used by a lot of running services. After the update, each of these services needs to be restarted. ... It's probably easiest to just reboot your entire server, since pretty much everything depends on glibc. ... Until that time, every DNS name being resolved is a potential security threat.  MORE

Meanwhile, sjvn is apologetic (in both senses of the word):

Josh Bressers, manager of the Red Hat product security team said..."Red Hat got word of this about a week ago. Updates to fix GHOST on Red Hat Enterprise Linux (RHEL) 5, 6, and 7 are now available." ... Debian is currently repairing its core distributions, Ubuntu has patched the bug both for 12.04 and the older 10.04, and I'm told the patches are on their way for CentOS.

My advice to you is to now, not later today, now, update your Linux system. ... After patching it, you should then reboot the system. I know for Linux it's rarely needed to reboot, want to make absolutely sure that all your system's running programs are using the patched code.  MORE

Update: John Leyden jars the accepted news angle:

[It's] nowhere near as bad as the infamous Heartbleed flaw, according to security experts. ... A fix released on May 2013 (between...glibc-2.17 and glibc-2.18) is capable of mitigating...the vulnerability. Unfortunately, this fix was not classified as a security advisory at the time.

H.D. Moore [said] Ghost - although worthy of immediate triage - was nowhere near as serious as the infamous Heartbleed OpenSSL security vulnerability. "To be clear, this is NOT the end of the Internet as we know it. ... It’s not likely to be an easy bug to exploit. ... Still, it could potentially be nasty if exploited so we strongly recommend immediate patching and rebooting."  MORE

You have been reading IT Blogwatch by Richi Jennings, who curates the best bloggy bits, finest forums, and weirdest websites… so you don't have to. Catch the key commentary from around the Web every morning. Hatemail may be directed to @RiCHi or Opinions expressed may not represent those of Computerworld. Ask your doctor before reading. Your mileage may vary. E&OE.

Copyright © 2015 IDG Communications, Inc.

Shop Tech Products at Amazon