Wednesday, 28. January 2015

Not So Spooky: Linux “Ghost” Vulnerability

Researchers at Qualys have found a vulnerability in the GNU C Library (alternately known as glibc), which can be used to run arbitrary code on systems running various Linux operating systems. The vulnerability (assigned as CVE-2015-0235) has been dubbed GHOST and is the latest vulnerability to receive a “friendly” name, joining others like Heartbleed, Shellshock, and POODLE. However, closer inspection reveals that this particular vulnerability, while serious, is not easy to exploit and has a very limited attack surface.

GHOST is a buffer overflow vulnerability triggered by calling the gethostbyname*() functions in glibc. These functions are used to resolve domain names into IP addresses by various applications. Theoretically, any application that uses these functions (practically any application that goes online) is at risk of being exploited.

At first glance, it would seem that this poses a massive security problem. Fortunately for most users, there are many factors that mitigate any risk due to GHOST.

First of all, this vulnerability has long been patched. The underlying problem was first introduced into glibc in 2000, but was fixed by May 2013. This means that many newer Linux operating systems were never at risk. (Like Shellshock, Windows-based systems are generally not vulnerable either.)

Secondly, not all applications are at equal risk. Exploitation is very difficult as an attacker only has a small amount of initial exploit code that can be used: 4 or 8 bytes (depending on whether the system is a 32- or 64-bit system). Additional code must be written to an address referenced by a pointer which the attacker can modify. As a result, many apps are not at risk. So far, we are not aware of any potential web attack vectors, which reduces the attack surface considerably.

Thirdly, the functions that are the subject of this vulnerability are obsolete. They cannot be used to translate domain names to IPv6 addresses; newer applications use the getaddrinfo() function, which does have IPv6 support.

Taken together, the risk of actual exploits targeting GHOST is relatively small compared to other vulnerabilities like Shellshock or Heartbleed. Yes, the underlying vulnerability is problematic, but defense in depth by other vendors means that the actual risk is relatively low. So far, only Exim Mail Transfer Agent has been confirmed to be remotely exploitable, but there could more. With only four or eight bytes as the initial exploit vector, gaining further access is highly dependent on application design and memory usage. This is a significant barrier to exploitation.

This doesn’t mean that system administrators can ignore the problem altogether, but it does mean that they can respond in a calm and orderly manner. Linux distributions have released patches that upgrade the version of glibc in use. Administrators should roll these out as soon as possible.

Post from: Trendlabs Security Intelligence Blog - by Trend Micro

Not So Spooky: Linux “Ghost” Vulnerability