Critical vulnerability in the Linux glibc library
On the 27th January 2015, a vulnerability affecting the GetHost functions within the GNU C Library ‘glibc’ was publicly disclosed. The vulnerability has been named GHOST, and is thought to be comparable to both Heartbleed and ShellShock in terms of potential impact.
What is the impact?
The vulnerability is a buffer overflow that allows for remote based code execution, which ultimately means that internet facing services that invoke the _gethostbynameand gethostbyname2 API function calls could be exploited for remote command shells with privileges that the services are running as.
Could my organisation be vulnerable?
There are a number of Linux distributions that are known to be vulnerable, including (but not limited to) the following:
- Ubuntu 10.04
- Ubuntu 12.04
- Debian 7
- CentOS 6
- CentOS 7
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Any unsupported Linux distributions
How can we detect the vulnerability?
SureCloud has implemented detection methods in to our scanning platforms, which are now available to our clients that have on-demand scanning. For our customers with in-house scanning appliances, their detection plugins will be updated overnight, however all on-demand scanning customers are able to start external vulnerability scans using the new Tool Policy ‘SureGuard: GHOST’.
The ‘SureGuard: GHOST’ Tool Policy will require credentials as detection is based upon determining the installed packages and libraries. Currently we are able to detect vulnerable versions of CentOS 5, CentOS 6, Debian 7, Oracle Linux 6, Amazon Linux AMI, Scientific Linux SL5, Scientific Linux SL6, Scientific Linux SL7, Red Hat 5, Red Hat 6, Red Hat 7, Ubuntu 10.04, Ubuntu 12.04, and SuSE 11. We will update the scanning policy should any further developments occur.
Unprivileged detection methods are likely to be possible and will be incorporated should they become available.
It is possible to manually determine the vulnerable status of the installed libraries by checking the version that is currently installed. By running the command ‘ldd –version’ and reviewing the output, you can manually determine if the packages installed on servers should be updated.
- Ubuntu 10.04 LTS: Fixed version 2.11.1-0ubuntu7.20
- Ubuntu 12.04 LTS: Fixed version 2.15-0ubuntu10.10
- Debian 7 LTS: Fixed version 2.13-36+deb7u7
- CentOS: Fixed version 2.18
- Red Hat Enterprise Linux: Fixed version: 2.18
If the installed versions are older than any of the ones listed above, then the system is vulnerable to GHOST.
How can we remediate the vulnerability?
Several vendors have produced updated packages for their distributions, which are not vulnerable.
Red Hat: https://rhn.redhat.com/errata/RHSA-2015-0090.html
Debian: https://security-tracker.debian.org/tracker/CVE-2015-0235
SuSE: https://support.novell.com/security/cve/CVE-2015-0235.html
Ubuntu: https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GHOST
Once updates are installed, a reboot of the system is necessary to utilise the newly installed library, as the affected library is used by many applications and services.
Get in touch
Should you have any questions regarding this or any security matter, please do not hesitate to get in touch by opening a support ticket or emailing SureCloud Support.
Whilst every effort is made to ensure the accuracy and robustness of any information presented, it is not possible for SureCloud to test every possible scenario an organization may face, and SureCloud cannot be held liable for any loss or damage which may arise from taking action on any of the contents provided. SureCloud strongly advises that all recommendations, solutions and detection methods detailed, are thoroughly reviewed and tested in non-production environments before being considered suitable for production release, in-line with any existing internal change control procedures.