There's a GHOST in Linux's Library
Jan 28, 2015 4:37 PM PT
Patches for GHOST, a critical vulnerability in the Linux GNU C Library (glibc), now are available through vendor communities for a variety of Linux server and desktop distributions.
Qualys earlier this week reported its discovery of GHOST (CVE-2015-0235), a vulnerability that allows attackers to remotely take control of an entire system without having any prior knowledge of system credentials.
A Qualys security research team found the GHOST flaw and worked closely with Linux distribution vendors in a coordinated effort to offer a patch for all distributions of Linux systems impacted.
Corresponding vendors made that patch available effective Wednesday, said Amol Sarwate, director of vulnerability labs at Qualys.
Qualys delayed divulging the existence of the security hole for several weeks to allow vendors time to develop and distribute a patch. It is unclear whether hackers have exploited it.
"We discovered the vulnerability during a code audit. It was found not recently but some time ago. We were working with vendors to come up with a coordinated way to disclose it when patches were available," Sarwate told LinuxInsider.
What It Does
The exploit allows an attacker to take complete control of a machine, Sarwate explained.
"I would classify this as a high severity threat because of the consequences," he added.
The flaw opens up most Linux-based Web and mail servers to attack. The vulnerability is triggered by the gethostbyname functions.
Numerous core processes call on gethostbyname, including auditd, dbus-daem, dhclient, init, master, mysqld, rsyslogd, sshd and udevd.
The flaw in Glibc exposes a buffer overflow that can be triggered locally and remotely in the "gethostbyname" functions. Applications using glibc get access to a DNS resolver, which converts hostnames into an IP address, according to Qualys.
Almost all networked Linux computers use this function to access another networked computer by using the /etc/hosts files or by resolving an Internet domain name with Domain Name System.
The vulnerability seems easy to trigger. An attacker can force a buffer overflow by using an invalid hostname argument to an application that performs a DNS resolution. That gives the attacker an ability to remotely execute arbitrary code with the permissions of the user running DNS.
Applying the patch is a fairly straightforward process. It is just the same as installing any other patch on a Linux system, according to Sarwate.
However, it could be plagued by previous patching faults. The flaw exists in older versions of the GNU C library, or glibc, a repository of open source software written in the C and C++ coding languages. Newer versions of glibc, beginning with the August 2013 glibc 2.18 release, are not affected. However, many builds of Linux may be using older versions.
A variety of factors mitigate the impact of this security hole, according to Qualys. One key factor is a fix released on May 21, 2013, between the releases of glibc-2.17 and glibc-2.18. That fix was not classified as a security advisory.
As a result, most stable and long-term-support distributions were left exposed, according to Qualys. Affected Linux distros include Debian 7 (wheezy), Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7 and Ubuntu 12.04.
Bug Fix Hell
Patching the GHOST hole could be more trying than fixing other recently discovered Linux vulnerabilities, according to Jon Passki, lead security researcher at Coverity.
"Patching a bug like Shellshock and rolling out a new version could be much easier than patching GHOST, as libc is a core library for many packages and the host operating system in Linux," he told LinuxInsider.
Applying a patch to bash and rolling out a newer version seems a lot easier. None of its dependencies are touched, so the fix can be very specific, Passki said.
"As a sysadmin or someone in security operations, I'd rather have ShellShock than GHOST," he added.
For single-user Linux desktops running mainly software managed by its distribution, complications probably are no issue, noted Passki. For enterprise systems running proprietary code, getting the patch right could be a thorny problem.