January 29, 2015 by Hansie Boshoff
Download The Nebulas GHOST Vulnerability Table
Including: Blue Coat, Check Point, F5, Juniper and Palo Alto Networks
Last Updated: 5th February 2015
As many Linux/Unix users and administrators
will know, the GNU C Library also known as glibc, is a code library for the C
language and forms one of the core components of the Linux/Unix operating
system. The Qualys research team has
discovered that a buffer-overflow issue exists for any applications that call
the gethostbyname*() function. This
function is primarily used in applications to perform a DNS resolve. The vulnerability can be exploited by an
attacker forcing a buffer overflow by providing an invalid hostname argument to
the application which it then uses to perform a DNS resolution.
As languages such as Python and Ruby and many
others can also make use of glibc, this leaves quite a large number of commercial,
open source and custom applications as potential targets. Since this issue affects virtually all of the
Linux-based software applications that perform a domain resolution request,
this affects both desktop and server environments.
Qualys has worked closely with various Linux
distributors and the patches for glibc have started to become available from
the source libraries and through the default package manager included in the
operating systems. The importance of
performing the update is rated as critical as the proof-of-concept work done
has shown that the vulnerability by-passes many of the built in exploit protections that exist in both 32-bit and
64-bit operating systems such as address
space layout randomization, position
independent executions and the no
execute protections.
The recommended steps to test if a server or
desktop environment is vulnerable is to check what version of glibc is
currently installed on the machine, check it against the vulnerable version
list, update if vulnerable and to restart the machine. Further to that, any application binaries
that were compiled with a static link to a vulnerable version will need to be
recompiled to ensure a safe update. The
tests and checks described next are only able to check system level glibc.
As the issue is something that needs to be
checked and updated directly on the operating system terminal, general remote
vulnerability scanners are presently unable to assist with checking your whole
estate / infrastructure in an automated process. Qualys has released an authenticated check
(meaning the tool will need credentials for each machine being checked, logs in
as a console user, checks the version present and reports on it) for its
tool. The alternative is a simple but
time consuming process of logging into individual machines, querying the
machine for a version number, checking it against the distribution update
notices for that specific OS and to then update where appropriate.
An example for checking Debian: Check the version of glibc by requesting the
version of the ldd tool (which uses glibc):
ldd --version
the output will look something as follows:
ldd (Ubuntu EGLIBC 2.15-0ubuntu10.7) 2.15
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANT ABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
The version number (highlighted above) can be
checked against the list on the Debian notification page and updated using
apt-get.
Below are links to some of the Linux
distribution update notices. These
notices provide lists of the vulnerable version of glibc and/or the information
for the patched update that can be downloaded.
RedHat: https://rhn.redhat.com/errata/RHSA-2015-0090.html
Ubuntu: https://launchpad.net/ubuntu/+source/eglibc
Debian: https://security-tracker.debian.org/tracker/CVE-2015-0235
Oracle Enterprise Linux: https://oss.oracle.com/pipermail/el-errata/2015-January/004810.html
CentOS: http://lists.centos.org/pipermail/centos-announce/2015-January/020906.html
OpenSUSE: http://lists.opensuse.org/opensuse-updates/2015-01/msg00085.html
GNU C Library: http://www.gnu.org/software/libc/
Note: For
security appliances that make use of custom builds of the *nix operating system
the appliance vendors need to communicate their advice and the availability of
updates. If you have any questions about
Nebulas supported security solutions and this vulnerability please get in
touch.
Download The Nebulas GHOST Vulnerability Table
Including: Blue Coat, Check Point, F5, Juniper and Palo Alto Networks
Last Updated: 5th February 2015
