New GHOST Vulnerability Threats Popular Linux Distributions

    image

    Vulnerability in common Linux distributions could allow an attacker to gain remote control of the system. Users of Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04 were hit. Zend Framework v2, Wordpress, and a number of other popular applications are also vulnerable.

    Information on the new vulnerability ( CVE-2015-0235 ) in the glibc library (GNU C Library) was first published on the French mailing list . Some experts believe that this was done by mistake, since by that time no one had time to prepare updates.

    A detailed technical description of the vulnerability and an exploit for the vulnerability can be found on Openwall , and the first descriptions were published in the Rapid 7 community..

    What is the problem


    The specialists who discovered the vulnerability managed to prepare a specially crafted email message exploiting the vulnerability in the Exim mail server running the vulnerable version of Glibc. It is worth noting that Exim is very widespread and in some operating systems is the default mail server. But in addition to this, other applications can potentially be exploited:

    • SSH servers using DNS queries for authentication with allow / deny.
    • Mail servers with reverse DNS queries.
    • Numerous web applications that perform DNS queries based on user input.
    • MySQL DBMS that authenticate against domain names (MySQL privileges).

    GHOST vulnerability was discovered in the library (glibc - gethostbyname () and gethostbyname2 () functions), which is an integral part of Linux - there are not so many desktop computers running this OS around the world, but the population of servers running on it is very large, and this means that the network infrastructure of most technology projects may be at risk. Other libc implementations (such as uclibc, musl) do not have a vulnerability.

    The error was given the name GHOST ("ghost") - an abbreviation that outperforms the names of the vulnerable functions gethostbyname () and gethostbyname2 ().

    According to one version based on the analysis of logo metadata with a red ghost, experts knew about this vulnerability at least October 2, 2014 and complied with the conditions of responsible disclosure, while the developers corrected the error.

    What is the difference from Heartbleed and Shellshock


    Unlike the vulnerability in the OpenSSL Heartbleed package that allowed attackers to read server memory, the GHOST error allows you to take control of the operating system using remote code execution (RCE). Since servers are primarily at risk, the problem should not affect as many users as Heartbleed, but the infrastructure of most Internet companies is at risk.

    Compared to another sensational Shellshock vulnerability , the exploitation of GHOST is more complicated, since it allows executing binary instructions rather than console commands - this means that for exploitation it is necessary to bypass the Linux kernel protection mechanisms.

    How to protect yourself


    In order to secure your servers, you need to install the patch (patch) released by the supplier of the corresponding Linux distribution. Information about the vulnerability appeared on January 27, so today, (January 28), the first patches should appear.

    In addition, the Cyberciti.biz resource published instructions on detecting all services, applications and executable files in the distribution package associated with the vulnerable glibc library (GNU C Library), as well as fixing the error.

    image

    Also popular now: