Researchers at Qualys recently revealed a critical vulnerability in the Linux GNU C Library (glibc), that allows attackers to remotely take control of an entire system without having any prior knowledge of system credentials.
The vulnerability is known as GHOST (CVE-2015-0235) as it can be triggered by the gethostbyname functions. It affects many systems built on Linux starting with glibc-2.2 released on November 10, 2000. Qualys researchers also identified a number of factors that mitigate the impact of this bug including a fix released on May 21, 2013 between the releases of glibc-2.17 and glibc-2.18. Unfortunately, this fix was not classified as a security advisory, and as a result, most stable and long-term-support distributions were left exposed including: Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04.
“GHOST poses a remote code execution risk that makes it incredibly easy for an attacker to exploit a machine. For example, an attacker could send a simple email on a Linux-based system and automatically get complete access to that machine,” said Wolfgang Kandek, Chief Technical Officer for Qualys, Inc. “Given the sheer number of systems based on glibc, we believe this is a high severity vulnerability and should be addressed immediately. The best course of action to mitigate the risk is to apply a patch from your Linux vendor.”
Patches are available from today and security experts have warned for companies to start patching immediately. The vulnerability has the capability to be far-reaching and “the potential attack surface is huge…the implications in terms of vulnerable software are still evolving, so they need to respond now,” according to Carl Leonard, Principal Security Analyst, Websense.
“As with Shellshock and Heartbleed, with so many systems possibly open to attack, the need to quickly identify and patch any vulnerable systems should be high on the agenda of any organisation that wants to reduce the probability of data loss,” advised Gavin Millard, Technical Director EMEA of Tenable Network Security.
“Vulnerable versions of Glibc will be found on pretty much every Linux server although it isn’t usually used on smaller embedded systems due to its size, which thankfully means the millions of IoT [internet of things] devices and home routers out there that have slower or non-existent patch cycles shouldn’t be affected.”
Elad Sharf, Security Research Manager at Performanta Ltd. continued:
“This is a serious flaw that can be exploited remotely, enabling hackers to take control of systems and potentially lead to development of an internet worm. GHOST is continuing the trend of high profile vulnerabilities like Shellshock and Heartbleed and again bodes th
e question of whether technology alone can keep up with critical vulnerabilities and protect against skillful adversaries that may utilise such vulnerabilities? The short answer is no. Technology alone cannot prevent exploits infiltrating organisations. Effective network security requires a combination of skilled personnel and technology working together to uncover these types of advanced threats taking place.”
David Harley, senior research fellow at ESET was slightly more optimistic, stating that: “Major Linux versions are being updated already, but even though most Linux system administrators are pretty savvy and have been quick to respond, there’s been a short-term impact because update servers have been hammered by requests for the updated packages. Hopefully, this will be short-term enough to allow a majority of developers to update before there are in-the-wild exploits.” However, he did warn that he imagines that “there will be malware in due course that will attempt an exploit just in case it gets access to an unpatched system.”
Szilard Stange, director at OPSWAT pointed out the complications in managing the disclosure process in these instances.
“Vulnerabilities like this one point out some difficulties of how to handle the disclosure process,” he said. “According to our investigation, many distributions were not affected by this vulnerability like the latest long-term-support release of Ubuntu, many distributions have released an update to the vulnerable software about a week before the publication date and many other have released updates on the same day like Red Hat and Debian. All the updates were released as a result of the coordination of the disclosure process. We can say that all major Linux distributions had the fix released on the same day of security advisory release.”
Patrick Bedwell, an AlienVault vice-president, said that one thing is for sure: buffer overflow vulnerabilities like GHOST are going to keep being discovered and the infosec community is going to have to respond.
He said: “the best way to mitigate GHOST is to identify vulnerable systems, prioritise the remediation process based on asset criticality, and deploy patches. You should keep a current inventory of devices, operating systems, and applications in your network so that you can answer the question ‘am I vulnerable?” before some bad actor answers it for you.
“This situation also highlights the need for you to keep vigilant on the latest happenings in infosec, and work with vendors who are active in the security community. Look for vendors who are committed to mitigating any vulnerabilities to help you keep up with emerging threats like this.
“Bottom line: Some vendors have identified vulnerable systems and applications and released patches. But don’t take their word for it, make sure to perform regular vulnerability scans yourself to ensure your network is protected.”
