Ghost Remote Code Execution Vulnerability scares the Linux community

The Linux GNU C Library (glibc) versions prior to 2.18 are affected by the GHOST remote code execution vulnerability present in the ‘gethostbyname’ function.

A new critical vulnerability is threatening the Linux community, the flaw affects the glibc GNU C library. The vulnerability is present in all Linux systems dating back to 2000 and could be exploited by attackers to execute code and remotely gain control of Linux machines.

The vulnerability was first discovered by researchers at Qualys and it affects glibc library from version 2.2 included in Linux systems since November 2000. However, at the moment there is no way to tell if cyber criminals or state-sponsored hackers have been exploiting this vulnerability in the wild.

“During a code audit performed internally at Qualys, we discovered a buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library (glibc). This bug is reachable both locally and remotely via the gethostbyname*() functions, so we decided to analyze it — and its impact — thoroughly, and named this vulnerability “GHOST”.” states a blog post from Qualys.

The flaw, coded as CVE-2015-0235, is a heap-based buffer overflow in the __nss_hostname_digits_dots() function implemented in the glibc library and invoked by the _gethostbyname and gethostbyname2 function calls.

The experts assigned the vulnerability the name GHOST because the involvement of the  _gethostbyname function.

“A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application,” reports an advisory from Linux distributor Red Hat.

Experts at Qualys confirmed that have identified a mitigation for the GHOST flaw that is available since May 21, 2013 between the releases of glibc-2.17 and glibc-2.18.

“Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example,” said the advisory from Qualys.

The impact of the GHOST flaw is anyway serious despite the update of the glibc is a quite easy operation.

“In this instance, you just apply the glibc update, and restart any services that are vulnerable,” explained Josh Bressers, a member of the Red Hat security response team“It’s not confusing like Shellshock was.”

Qualys also provided the details about the exploitation of the Exim SMTP mail server, the advisory explains how to achieve remote code execution against the Exim SMTP mail server, bypassing the NX (No-eXecute) protection and glibc’s malloc hardening. Other Linux systems are exposed to the GHOST flaw, including MySQL servers, Apache, Cups, Dovecot, Secure Shell servers and other types of mail servers.

“The bug affects virtually all Linux-based software that performs domain name resolution. As result, it most likely can be exploited not only against servers but also client applications.” reports ArsTechnica.

The different Linux distributions will be releasing patches; Red Hat has released an update for Red Hat Enterprise Linux 5. Novell has a list of SUSE Linux Enterprise Server builds affected by GHOST. Debian has already released an update of its software addressing the vulnerability.

The US-CERT has also published an advisory on the GHOST vulnerability urging administrators to refer respective Linux or Unix-based OS vendors and start the patching process.

“US-CERT recommends users and administrators refer to their respective Linux or Unix-based OS vendor(s) for an appropriate patch if affected. Patches are available from Ubuntu(link is external) and Red Hat(link is external). The GNU C Library versions 2.18 and later are also available for experienced users and administrators to implement.” states the US-CERT.

Pierluigi Paganini

(Security Affairs – GHOST, LINUX)