‘Ghost’ Flaw Leaves Linux Systems Vulnerable

A loophole termed ‘Ghost’ (CVE-2015-0235) in the Linux GNU C (glibc) library leaves Linux-based systems vulnerable to attacks. A team of researchers from Qualys, a cloud security company, discovered the vulnerability and promptly reported it to Linux distributors. A security lapse such as this leaves the system completely open for hackers to take over with no need to be aware of the ID or password.

‘gethostbyname’ Domain Name System (DNS) resolution functions are used on nearly all networked Linux-based systems. Hackers merely trigger a buffer overflow with an incorrect hostname that directs them to DNS resolution. Then, it’s just a matter of remotely executing arbitrary code in order to hijack the entire system. Qualys has even created a proof-of-concept which will be released when at least half of the Linux servers are properly patched.

Debian 7, Red Hat Enterprise Linux 5, 6 and 7, CentOS 6 and 7 as well as Ubuntu 12.04 are vulnerable so download patches as soon as you can

Qualys explained this in their blog post, “we developed a proof-of-concept in which we send a specially created e-mail to a mail server and can get a remote shell to the Linux machine.”

This loophole surfaces in Linux systems that were built with glibc-2.2 released in Novermber, 2000. Although the bug was patched with a fix in May, 2013, this was not exactly registered as a security issue. This explains why so many Linux-based systems now lend themselves to attacks. The affectees are as follows: Debian 7 (Wheezy), Red Hat Enterprise Linux 5, 6 and 7, CentOS 6 and 7 as well as Ubuntu 12.04. Some patches have already been dished out whereas others are in the works.

If you happen to be a Linux user, you are best advised to update your system as soon as possible rather than waiting for the inevitable. Yes, Linux hardly ever requires reboots for operations to take effect but it is better to reboot the system once done, just to be on the safe side. Speaking of safe sides, you might even want to take Robert Graham’s (Errata Security representative) advice and use getaddrinfo() function rather than sticking with the old gethostbyname function any longer.

    • No OS is 100% secure. The difference with Linux and others is Linux is 99% secure. Others aren’t. Plus Linux communities are so much more vast & swift that updateds/patches/fixes are issued in matter of minutes. There is always a key for each lock. Still Linux is the Boss.

  • It looks like from this post as if users are executing gethostbyname function by choice. These are system calls over which users have no control, unless they modify source code of all applications and recompile them with changed function.

    Another thing is, this vulnerability does not leave the system completely open to hackers since the exploit can only run arbitrary code as the user through which that particular service was started. Unless you are running vulnerable services as root user, the hack will be limited to that particular user only.

    Also, I would like to list patched versions of glibc which are being pushed by CentOS and Red Hat if you are looking for updates.

    CentOS / Redhat 6: glibc.x86_64 0:2.12-1.149.el6_6.5

    CentOS / RedHat 7: glibc.x86_64 0:2.17-55.el7_0.5

    • Any service that runs as root and performs DNS lookups (usually reverse DNS) is possibly vulnerable with this. That includes mail servers (both SMTP and POP/IMAP). They run as root.

  • Ltd feature videos

    Watch more at LTD