Researchers have discovered a critical vulnerability (CVE-2015-0235) in the Linux GNU C Library (glibc) that could potentially allow attackers to execute code on servers and gain remote control of Linux machines, without the necessary system credentials. This flaw is found in most versions of Linux, in which a buffer overflow can be exploited by calling the gethostbyname*() function. However, although the distribution of the vulnerability goes as far back as 2000, the vulnerability is not easily exploitable at this point. In this instance, the issue is very different from what we saw with other high-impact vulnerabilities, such as Heartbleed and Shellshock. There are several factors which make this particular vulnerability less dangerous than other high-impact vulnerabilities we have recently seen. The vulnerability has been patched (for the most part) in May of 2013, so most newer Linux builds have not been at risk. Furthermore, exploitation of this vulnerability is not easy given the attacker only has 4-8 bytes to work with for their exploit payload. At this time, there are very few applications that are at risk of the vulnerability and no remote exploits. This could change, however, as groups are already digging into the vulnerability further, so it is important for organizations to identify vulnerable systems on their network and patch them promptly. It is also important to note that the gethostbyname*() is also somewhat obsolete due to the function not being compatible with IPv6 and has been replaced by getaddrinfo(), which is not vulnerable. As a result, very few applications are actually vulnerable to GHOST but many legacy applications that are no longer updated could introduce further risk. Even though GHOST is not as critical as other widespread vulnerabilities we have seen, system administrators should still be checking their environment to understand their risk. All Linux distributions have released patches, which upgraded the version of glibc, and should be upgraded soon. Tripwire has issued a VERT Alert that includes custom rules to detect vulnerable systems for Tripwire IP360 customers and an ASPL update has been pushed for detecting GHOST.
Image