A loophole termed ‘Ghost’ (CVE-2015-0235) in the Linux GNU C (glibc) library leaves Linux-based systems vulnerable to attacks. A team of researchers from Qualys, a cloud security company, discovered the vulnerability and promptly reported it to Linux distributors. A security lapse such as this leaves the system completely open for hackers to take over with no need to be aware of the ID or password.
‘gethostbyname’ Domain Name System (DNS) resolution functions are used on nearly all networked Linux-based systems. Hackers merely trigger a buffer overflow with an incorrect hostname that directs them to DNS resolution. Then, it’s just a matter of remotely executing arbitrary code in order to hijack the entire system. Qualys has even created a proof-of-concept which will be released when at least half of the Linux servers are properly patched.
Debian 7, Red Hat Enterprise Linux 5, 6 and 7, CentOS 6 and 7 as well as Ubuntu 12.04 are vulnerable so download patches as soon as you can
Qualys explained this in their blog post, “we developed a proof-of-concept in which we send a specially created e-mail to a mail server and can get a remote shell to the Linux machine.”
This loophole surfaces in Linux systems that were built with glibc-2.2 released in Novermber, 2000. Although the bug was patched with a fix in May, 2013, this was not exactly registered as a security issue. This explains why so many Linux-based systems now lend themselves to attacks. The affectees are as follows: Debian 7 (Wheezy), Red Hat Enterprise Linux 5, 6 and 7, CentOS 6 and 7 as well as Ubuntu 12.04. Some patches have already been dished out whereas others are in the works.
If you happen to be a Linux user, you are best advised to update your system as soon as possible rather than waiting for the inevitable. Yes, Linux hardly ever requires reboots for operations to take effect but it is better to reboot the system once done, just to be on the safe side. Speaking of safe sides, you might even want to take Robert Graham’s (Errata Security representative) advice and use getaddrinfo() function rather than sticking with the old gethostbyname function any longer.