eSentire White Logo

Security advisories | Feb 26, 2019

GHOST vulnerability (CVE-2015-0235)

Please be advised that with the recent Security Advisory above more focus should be spent ensuring that patching is complete for the GHOST vulnerability. This vulnerability affects a variety of Linux servers and Linux-based firmware. In order to help our customers address this threat we have outlined the vector and mitigation methods applicable to the GHOST vulnerability below.

What We Know
What is GHOST:
  • GHOST is a “buffer overflow” bug affecting the gethostbyname*() function calls in the glibc library
  • Earliest vulnerable glibc version: glibc-2.2 (released Nov. 10, 2000)
  • The gethostbyname*() function calls are used for DNS resolution. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying a specially crafted hostname argument to an application that performs hostname-to-IP-address translation
  • The vulnerability was fixed on May 21, 2013 between the releases of glibc-2.17 and glibc-2.18 (glibc-2.18 and higher are thus not vulnerable)
  • Although this is a severe vulnerability that allows for remote code execution, the threat of exploitation is relatively low due to multiple mitigating factors:
    • Vulnerable gethostbyname*() functions are obsolete as they lack IPv6 support -- recent applications use getaddrinfo() instead
    • Many programs will only use gethostbyname() if a preliminary call to inet_aton() fails -- this makes a successful exploit impossible
    • Many programs only use gethostbyname() to perform forward-confirmed reverse DNS checks (FCrDNS) -- these are generally safe from exploitation
Who is affected:
eSentire protection:
  • Based on a recently released proof-of-concept exploit, eSentire has updated Network Interceptor™ signatures to detect attempts to exploit this vulnerability against Exim mail servers
  • We recommend that you apply the appropriate security updates on all vulnerable Linux hosts as soon as possible
  • For firmware-based appliances, please consult your vendors for the latest vulnerability information and patches