GHOST vulnerability (CVE-2015-0235)

Please be advised that with the recent Security Advisory above more focus should be spent ensuring that patching is complete for the GHOST vulnerability. This vulnerability affects a variety of Linux servers and Linux-based firmware. In order to help our customers address this threat we have outlined the vector and mitigation methods applicable to the GHOST vulnerability below.

What We Know

What is GHOST:

• GHOST is a “buffer overflow” bug affecting the gethostbyname*() function calls in the glibc library
• Earliest vulnerable glibc version: glibc-2.2 (released Nov. 10, 2000)
• The gethostbyname*() function calls are used for DNS resolution. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying a specially crafted hostname argument to an application that performs hostname-to-IP-address translation
• The vulnerability was fixed on May 21, 2013 between the releases of glibc-2.17 and glibc-2.18 (glibc-2.18 and higher are thus not vulnerable)
• Although this is a severe vulnerability that allows for remote code execution, the threat of exploitation is relatively low due to multiple mitigating factors:
  • Vulnerable gethostbyname*() functions are obsolete as they lack IPv6 support -- recent applications use getaddrinfo() instead
  • Many programs will only use gethostbyname() if a preliminary call to inet_aton() fails -- this makes a successful exploit impossible
  • Many programs only use gethostbyname() to perform forward-confirmed reverse DNS checks (FCrDNS) -- these are generally safe from exploitation

Who is affected:

• Known vulnerable versions of Linux:
  • Arch Linux glibc version 2.18-1 and prior
  • Centos 5, 6 and 7
  • Debian Linux 7
  • Fedora 19 and prior
  • Linux Mint 13
  • OpenSUSE/SUSE Linux Enterprise 11 and prior
  • RHEL 5, 6 and 7
  • Ubuntu 10.04 and 12.04 LTS
• Appliances running Linux-based firmware may also be vulnerable (the list below is not intended to be exhaustive):
  • https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost
  • https://kb.juniper.net/InfoCenter/index?page=content&id=JSA10671&actp=search
  • https://kc.mcafee.com/corporate/index?page=content&id=SB10100
  • https://bto.bluecoat.com/security-advisory/sa90
  • http://www.websense.com/support/article/kbarticle/GHOST-glibc-Vulnerability

Protection

eSentire protection:

• Based on a recently released proof-of-concept exploit, eSentire has updated Network Interceptor™ signatures to detect attempts to exploit this vulnerability against Exim mail servers
• We recommend that you apply the appropriate security updates on all vulnerable Linux hosts as soon as possible
• For firmware-based appliances, please consult your vendors for the latest vulnerability information and patches

Resources

• https://www.qualys.com/2015/01/27/cve-2015-0235/GHOST-CVE-2015-0235.txt
• https://blogs.it.ox.ac.uk/oxcert/2015/01/28/ghost-in-the-shell-cve2015-0235/
• http://blogs.cisco.com/security/talos/ghost-glibc