Anti-Malware , Application Security , Risk Management

Serious 'GHOST' Flaw Puts Linux at Risk

US-CERT Warns: Linux Patches Are Available, Update Now
Serious 'GHOST' Flaw Puts Linux at Risk

Numerous versions of Linux are at risk from a "GHOST" vulnerability that an attacker could exploit - remotely or locally - to bypass credential checks and seize control of a system, warn researchers at cloud security and vulnerability scanning vendor Qualys. The flaw exists in the GNU C Library, a.k.a. "glibc."

See Also: Detecting Insider Threats Through Machine Learning

"GHOST poses a remote code execution risk that makes it incredibly easy for an attacker to exploit a machine. For example, an attacker could send a simple e-mail on a Linux-based system and automatically get complete access to that machine," says Wolfgang Kandek, chief technical officer at Qualys. "Given the sheer number of systems based on glibc, we believe this is a high-severity vulnerability and should be addressed immediately. The best course of action to mitigate the risk is to apply a patch from your Linux vendor."

The flaw cannot be fixed by excising the offending library in Linux. "The GNU C Library - or glibc - is an implementation of the standard C library and a core part of the Linux operating system," Kandek says in a blog post. "Without this library, a Linux system will not function."

Patched versions of many Linux operating systems have now been released, the U.S. Computer Emergency Response Team says in a Jan. 27 alert. "US-CERT recommends users and administrators refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch if affected. Patches are available from Ubuntu and Red Hat. The GNU C Library versions 2.18 and later are also available for experienced users and administrators to implement."

Analyzing GHOST

The glibc vulnerability exists in the Linux gethostbyname() function - hence the GHOST name - that was added to glibc-2.2, which was released on Nov. 10, 2000. A related fix for GHOST was issued - between the releases of glibc-2.17 and glibc-2.18 - but was only flagged as being a bug fix, Qualys reports. "Unfortunately, this fix was not classified as a security advisory, and as a result, most stable and long-term-support distributions were left exposed, including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04."

During a code audit, Qualys discovered that the bug could be used to trigger a buffer overflow and then execute code of an attacker's choosing, Kandek says. The bug has been designated as CVE-2015-0235.

Qualys says it alerted Linux vendors in advance of issuing a coordinated Jan. 27 warning about the flaw to give them time to prepare related patches, which were released on the same day. Anyone using glibc-2.18 or newer is immune to related exploits.

Easy to Exploit

GHOST is easy to exploit, Qualys reports. "During our testing, we developed a proof-of-concept [attack] in which we send a specially created e-mail to a mail server and can get a remote shell to the Linux machine," Kandek says. "This bypasses all existing protections - like ASLR, PIE and NX - on both 32-bit and 64-bit systems." But Qualys has yet to release that proof-of-concept exploit code, saying it will wait until the bug's "half life" - when it estimates that half of affected systems have been patched - to do so.

The flaw is likely widespread, given the massive number of servers that run Linux. "Linux is used by 36.3 percent of all the websites whose operating system we know," reports Web research firm

Outdated Linux Function

Robert David Graham, who heads cybersecurity research firm Errata Security, says there is no need to still be using the function in which the GHOST bug has been found. "Today's GHOST vulnerability is in gethostbyname(), a Sockets API function from the early 1980s," he says in a blog post. "That function has been obsolete for a decade. What you should be using is getaddrinfo() instead, a newer function that can also handle IPv6. The great thing about getaddrinfo() is the fact that it allows writing code that is agnostic to the IP version."

Internet Protocol version 6 has been replacing the previous protocol, IPv4, owing to a lack of address space.

Graham, however, says too many programmers, while learning how to do computer networking - and handle Sockets, which are endpoints in a connection - are still being taught to use the deprecated gethostbyname(). "If you learn Sockets programming at the university, they still teach gethostbyname(). That's because as far as Internet programming is concerned, academia is decades out of date."

Yet Another New 'Old' Bug

As noted, the GHOST flaw has existed since 2000, which makes it yet another "old bug" to have been newly discovered. Indeed, the GHOST warning follows the 2014 discovery of three other serious, old bugs: Heartbleed in OpenSSL, the POODLE SSL flaw, and the Bash command-line flaw known as Shellshock.

The discovery of GHOST has already triggered related debates about whether enough is being done to find and eradicate old flaws in widely used software, such as Linux. "Right, obviously this is with all due deference and respect and I hope nobody takes it the wrong way," says one commenter to a related discussion on the Sourceware Bugzilla site. "[But] could we take this moment and look back maybe somewhat systematically over other closed [Linux] bugs that were deemed of low importance and no security impact which involved very clearly increasing the size of a buffer so that it becomes big enough to not get overflowed?"

Veteran Linux bug hunter Florian La Roche, however, has reportedly already reviewed 3,000 past glibc bugs to see if they might have security repercussions, reports Joseph Myers at Mentor Graphics Sourcery Tools, in a post to Sourceware Bugzilla. "But as this case illustrates, it may not be apparent from the bug description that a buffer overrun was involved at all," he says.

"Now, if someone else wants to do their own review of over 3,000 bugs with 'security-' flag, and to query cases where they disagree with that assessment, that would be welcome, but probably also very tedious and not likely to find many cases of misclassified bugs," Myers says.

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the Executive Editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, amongst other publications. He lives in Scotland.

Around the Network