What is GHOST?
GHOST is a serious vulnerability that has been discovered in the glibc library.
What is the glibc?
It’s the GNU C Library, a key part of the Linux operating system. If you don’t have glibc, your Linux system is not going to work.
So, what’s the vulnerability?
Researchers at Qualys discovered a buffer overflow vulnerability in the __nss_hostname_digits_dots() function of glibc, that can be triggered (locally or remotely) via the gethostbyname*() functions used to resolve hostnames.
Okay, you’re getting slightly nerdy… tell me what’s the danger?
An attacker could exploit the vulnerability to remotely execute malicious code on a vulnerable system, and gain complete control.
That sounds bad
It is. Qualys says it has developed a proof-of-concept attack in which sending a specially crafted email to a mail server can give them remote access to a Linux machine. They say that it bypasses all existing protection systems on both 32-bit and 64-bit systems.
How old is the vulnerability?
Versions of glibc as far back as glibc-2.2, released way back in 2000, are affected by the vulnerability.
Hmm. So, what versions and operating systems are at risk from the GHOST vulnerability?
Here’s what Qualys says in its blog post about the vulnerability:
The first vulnerable version of the GNU C Library affected by this is glibc-2.2, released on November 10, 2000. We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example.
What needs to be done?
Fortunately, Qualys informed Linux distribution vendors in advance of going public, and patches are now available.
Will I have to reboot my servers to apply the patch?
Almost certainly, yes. Sorry.
Where can I find more information?
- Qualys Advisory: https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
- RedHat: https://rhn.redhat.com/errata/RHSA-2015-0090.html
- Ubuntu: https://launchpad.net/ubuntu/+source/eglibc
- Debian: https://security-tracker.debian.org/tracker/CVE-2015-0235
- GNU C Library: http://www.gnu.org/software/libc/
- Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
Have any bad guys exploited the GHOST vulnerability yet?
Not as far as we know. But now details of the vulnerability are emerging publicly, it may only be a matter of time.
Companies are busy patching themselves. For instance, WP Engine (which hosts this website) says it updated all of its servers last night. Thanks guys!
Why is it called GHOST?
First answer: Because every vulnerability these days needs a sexy name. After all, no-one normal would ever call it CVE-2015-0235.
Second answer: The vulnerability can be triggered by the GetHOST functions. Geddit?
I like the logo. It’s cute
Yes it is. You might find this technical analysis of the logo (not the vulnerability) amusing.
Found this article interesting? Follow Graham Cluley on Twitter to read more of the exclusive content we post.