On the 27th January 2015, a vulnerability affecting the GetHost functions within the GNU C Library ‘glibc’ was publicly disclosed. The vulnerability has been named GHOST, and is thought to be comparable to both Heartbleed and ShellShock in terms of potential impact.
The vulnerability is a buffer overflow that allows for remote based code execution, which ultimately means that internet facing services that invoke the _gethostbynameand gethostbyname2 API function calls could be exploited for remote command shells with privileges that the services are running as.
There are a number of Linux distributions that are known to be vulnerable, including (but not limited to) the following:
SureCloud has implemented detection methods in to our scanning platforms, which are now available to our clients that have on-demand scanning. For our customers with in-house scanning appliances, their detection plugins will be updated overnight, however all on-demand scanning customers are able to start external vulnerability scans using the new Tool Policy ‘SureGuard: GHOST’.
The ‘SureGuard: GHOST’ Tool Policy will require credentials as detection is based upon determining the installed packages and libraries. Currently we are able to detect vulnerable versions of CentOS 5, CentOS 6, Debian 7, Oracle Linux 6, Amazon Linux AMI, Scientific Linux SL5, Scientific Linux SL6, Scientific Linux SL7, Red Hat 5, Red Hat 6, Red Hat 7, Ubuntu 10.04, Ubuntu 12.04, and SuSE 11. We will update the scanning policy should any further developments occur.
Unprivileged detection methods are likely to be possible and will be incorporated should they become available.
It is possible to manually determine the vulnerable status of the installed libraries by checking the version that is currently installed. By running the command ‘ldd –version’ and reviewing the output, you can manually determine if the packages installed on servers should be updated.
If the installed versions are older than any of the ones listed above, then the system is vulnerable to GHOST.
Several vendors have produced updated packages for their distributions, which are not vulnerable.
Once updates are installed, a reboot of the system is necessary to utilise the newly installed library, as the affected library is used by many applications and services.
Should you have any questions regarding this or any security matter, please do not hesitate to get in touch by opening a support ticket or emailing SureCloud Support.
Whilst every effort is made to ensure the accuracy and robustness of any information presented, it is not possible for SureCloud to test every possible scenario an organization may face, and SureCloud cannot be held liable for any loss or damage which may arise from taking action on any of the contents provided. SureCloud strongly advises that all recommendations, solutions and detection methods detailed, are thoroughly reviewed and tested in non-production environments before being considered suitable for production release, in-line with any existing internal change control procedures.