Skip to main content

GHOST: glibc gethostbyname buffer overflow – the information you need

Dominique Watson
  • Updated

As you may be aware, another security exploit has been recently discovered called  "GHOST: glibc gethostbyname buffer overflow".

The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.

 

What is glibc?

The GNU C Library or glibc is an implementation of the standard C library and a core part of the Linux operating system. Without this library a Linux system will not function.

 

What is the vulnerability?

During a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address

What is the risk?

There is a remote code execution risk due to this vulnerability. An attacker who exploits this issue can gain complete control of the compromised system.

Riverbed

Issue

A vulnerability (CVE-2015-0235 aka GHOST vulnerability) has been reported in the GNU C (glibc) library's gethostbyname() group of functions that could allow remote attackers to potentially compromise a system. glibc is a common component of most Linux distributions and is thus included in several Riverbed products. For more information on this vulnerability, please refer to the following:

Solution

Riverbed is actively working on identifying and resolving this CVE across all vulnerable products. As each product is updated, tested, and released, we will update this knowledge base article. Check back periodically to learn when updates to the products you use become available.

SteelHead | SteelApp | SteelCentral | SteelFusion | Web | Riverbed open source

In the lists below, products are grouped together when the same information applies to all products in the group. For example, in the SteelHead section, the bulleted statements apply to all of the product names listed above the statements.

SteelHead products

SteelHead CX (appliance, virtual, cloud)
SteelHead DX
SteelHead Interceptor
SteelCentral Controller for SteelHead
SteelCentral Controller for SteelHead Mobile
Riverbed Services Platform

  • Not vulnerable under normal circumstances. While affected versions of glibc are present, any potential exploit would first require authentication via the web management console or the command line interface. Nevertheless, patched versions of glibc will be included in the next maintenance release.

SteelApp products

SteelApp Traffic Manager (appliance)

  • Potentially vulnerable: in products before version 9.9. While testing revealed no exploitable attack vectors in the administrative interfaces, we cannot claim to have performed an exhaustive survey. The Traffic Manager's data-plane is not affected. The standard OpenSSH configuration for the appliance includes "UseDNS no" and thus the SSH service is not affected.
  • In some appliance deployments, custom software might be installed on the (Open-Access) appliance (in addition to custom monitor and action scripts) and thus might be affected.  Customers should contact the vendor of any software deployed on their systems to determine the impact of this vulnerability.
  • Patches for supported releases (versions 9.2 through 9.8r2) are available. Download links will be provided shortly.

SteelApp Traffic Manager (software)

  • Potentially vulnerable, depending on the underlying Linux distribution used. While testing revealed no exploitable attack vectors in the administrative interfaces, we cannot claim to have performed an exhaustive survey. The Traffic Manager's data-plane is not affected. The standard OpenSSH configuration for the appliance includes "UseDNS no" and thus the SSH service is not affected.
  • In all software deployments, custom monitor and action scripts might be affected. Customers should contact the vendor of these add-ons to determine the impact of this vulnerability.
  • Customers should update glibc to a version without the vulnerability following the recommendations from the vendor of their platform(s)/distribution(s). After updating, customers should restart the Traffic Manager software to ensure the new library is being used.
  • Not vulnerable: SteelApp Traffic Manager software for Solaris.

SteelApp Web App Firewall

  • Not vulnerable.

SteelApp Web Accelerator

  • Not vulnerable.

SteelCentral Controller for SteelApp (appliance)

  • Potentially vulnerable: version 2.0 includes a vulnerable version of the glibc library. While the SSC software version (1.2) included is not affected by the vulnerability, the platform includes a number of utilities which might be affected. It is unknown whether there exist any attack vectors that might exploit the vulnerability.
  • Patches for supported releases containing the vulnerable library will be created as required; please escalate customer requests through the standard support process.

SteelCentral Controller for SteelApp (software)

  • Potentially vulnerable: in versions 1.0 and 1.1. The gethostbyname() function is used for name resolution; it is unknown if there are any attack vectors that might exploit this.
  • Customers should update glibc to a version without the vulnerability following the recommendations from the vendor of their platform(s)/distribution(s). After updating, customers should restart the Traffic Manager software to ensure the new library is being used.
  • Not vulnerable: in version 1.2.

SteelCentral Controller for SteelApp (instance host)

  • Potentially vulnerable: the instance host includes a vulnerable version of the glibc library. It is unknown whether the vulnerability affects the instance host itself. Deployments of SteelApp Traffic Manager on the instance host are affected in the same manner as reported for the SteelApp Traffic Manager software installations.
  • Patches for supported releases containing the vulnerable library will be created as required; please escalate customer requests through the standard support process.

SteelCentral products

AirPcap driver
AppCapacity
AppMapper
AppResponse
AppSQL
Dashboards
Modeler
NetAuditor
NetCollector
NetPlanner
NetSensor
Packet Analyzer
Report Server
Transaction Analyzer
WebAnalyzer

  • Not vulnerable. glibc is not included in the Linux versions of these products. Windows versions are unaffected.

AppInternals
Flow Gateway
NetExpress
NetProfiler
NetShark
UCExpert

  • Currently under investigation.

SteelFusion products

SteelHead EX
Granite Core (physical and virtual)

  • Not vulnerable under normal circumstances. While affected versions of glibc are present, any potential exploit would first require authentication via the web management console or the command line interface. Nevertheless, patched versions of glibc will be included in the next maintenance release.

Riverbed websites

  • Does not apply.

Riverbed open source

Wireshark

  • Not vulnerable. glibc is not included in the Linux, BSD, Solaris, and OS X versions of these products. Windows versions are unaffected.

WinPcap
WinDump

  • Not vulnerable, as these are Windows tools.

 

Allot

Field Note 01-02-15: GHOST glibc Vulnerability (WSP)

Added by Dan Shalem, last edited by Dan Shalem on Feb 01, 2015

Description

A heap-based buffer overflow was found in glibc's __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.

This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.

The first vulnerable version of the GNU C Library affected by this is glibc-2.2, released on November 10, 2000, and it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18).

The vulnerability is coded by US-CERT as follows: CVE-2015-0235

What is glibc?

The GNU C Library or glibc is an implementation of the standard C library and a core part of the Linux operating system. Without this library a Linux system will not function


What is the Risk?

There is a remote code execution risk due to this vulnerability. An attacker who exploits this issue could gain complete access to the system.

In any case, to trigger the vulnerability in the WSP modules would be very difficult,  as stated in this http://www.openwall.com/lists/oss-security/2015/01/27/9 there are few of the linux programs with a possibility to trigger the vulnerability and just exim at this time remotely (and with a very specificonfiguration) . Even if the program performs a few checks (DNS names no longer than 1K) the vulnerability will not be exploited.

A Linux patch is available and WSP modules depend on the libc so a restart of the WSPmodules is recommended. The rest of normal Linux processes need a restart too, but recommendation is to restart the machines.

Which Systems are at Risk?

The issue could affect both 32 and 64 bit operating systems of WebSafe Personal.

All versions of OptOS until OptOS-6.5.201501-12


How to Check if System is Vulnerable?

The following test can be executed for checking if system is vulnerable (this does not repair or restart anything it will only tell you if your system is vulnerable.)

# wget "http://kb.optenet.com/kbp/index.php?View=afile&CategoryID=471&EntryID=543" -O GHOST.c
# gcc GHOST.c -o GHOST
# ./GHOST 

Updates to be Installed Depending on OS

CentOS 5.X 32 bits

glibc-2.5-123.el5_11.1.i386.rpm
glibc-2.5-123.el5_11.1.i686.rpm
glibc-common-2.5-123.el5_11.1.i386.rpm
glibc-devel-2.5-123.el5_11.1.i386.rpm
glibc-headers-2.5-123.el5_11.1.i386.rpm
glibc-utils-2.5-123.el5_11.1.i386.rpm
nscd-2.5-123.el5_11.1.i386.rpm

For OS CentOS 5.X 32 bits you can download all rpms from this URL http://mirror.centos.org/centos-5/5/os/i386/

CentOS 5.X 64 bits

glibc-2.5-123.el5_11.1.i686.rpm
glibc-2.5-123.el5_11.1.x86_64.rpm
glibc-common-2.5-123.el5_11.1.x86_64.rpm
glibc-devel-2.5-123.el5_11.1.i386.rpm
glibc-devel-2.5-123.el5_11.1.x86_64.rpm
glibc-headers-2.5-123.el5_11.1.x86_64.rpm
glibc-utils-2.5-123.el5_11.1.x86_64.rpm
nscd-2.5-123.el5_11.1.x86_64.rpm

For OS CentOS 5.X 64 bits you can download all rpms from this URL http://mirror.centos.org/centos-5/5/os/x86_64/

OptOS 6.X 32 bits

glibc-2.12-1.149.el6_6.5.i686.rpm
glibc-headers-2.12-1.149.el6_6.5.i686.rpm
glibc-devel-2.12-1.149.el6_6.5.i686.rpm
glibc-common-2.12-1.149.el6_6.5.i686.rpm
nscd-2.12-1.149.el6_6.5.i686.rpm

For OS OptOS 6.X 32 bits you can download all rpms from this URL http://public-yum.oracle.com/repo/OracleLinux/OL6/latest/i386/

OptOS 6.X 64 bits

glibc-2.12-1.149.el6_6.5.i686.rpm
glibc-common-2.12-1.149.el6_6.5.x86_64.rpm
glibc-headers-2.12-1.149.el6_6.5.x86_64.rpm
glibc-2.12-1.149.el6_6.5.x86_64.rpm
glibc-devel-2.12-1.149.el6_6.5.x86_64.rpm 
nscd-2.12-1.149.el6_6.5.x86_64.rpm

For OS OptOS 6.X 64 bits you can download all rpms from this URL http://public-yum.oracle.com/repo/OracleLinux/OL6/latest/x86_64/

Procedure to Update the OS

The procedure is quite simple and is the same for every OS, the command you have to execute is

rpm -Uvh --force --nodeps <rpm_package>

This command has to be run for every rpm to be installed. 

After that, machine has to be rebooted

Castle Rock

Teneo is waiting for the vendor’s confirmation if CVE-2015-0235 affects any of their products.

Talari

Teneo is waiting for the vendor’s confirmation if CVE-2015-0235 affects any of their products.

Infoblox

#3581: NIOS and Network Automation products are not vulnerable to CVE-2015-0235

Published 01/28/2015 10:54 AM   |    Updated 01/30/2015 11:02 AM

On January 27, 2015, Qualys Security Advisory announced CVE-2015-0235.

Description

 The Ghost vulnerability is in the GNU C Library (glibc), core part of Linux OS. It exploits a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This vulnerability can be triggered both locally and remotely via all the gethostbyname*() functions. Depending on the way this function is called, and the attacker’s ability to supply the arguments, it is possible for an attacker to gain control of the compromised system, bypassing all existing protections without having any prior knowledge of system credentials.

Affected Versions

Infoblox NIOS and Network Automation products do not use this function in ways that are exploitable in the manner described in this vulnerability and therefore these Infoblox products are not considered to be vulnerable to this attack.  

Impact

Infoblox NIOS and Network Automation products are not affected.

Recommendation

There is no need for action. Infoblox will update the glibc to address this vulnerability in regularly scheduled patches as a matter of best practice
 

Palo Alto Networks

Version 483


On Tuesday, January 27th, a Linux Remote Code Execution Vulnerability was discovered in the GetHost function in certain Linux distributions. This is also known as the "GHOST glib gethostbyname" buffer overflow vulnerability, CVE-2015-0235.


Palo Alto Networks has confirmed customers are protected against the exploitation of the GHOST buffer overflow vulnerability with IPS Signature ID #30384, "SMTP EHLO/HELO overlong argument anomaly” over SMTP, as is demonstrated in the proof of concept provided by Qualys in their writeup of the vulnerability. A successful attack could lead to remote code execution with the privileges of the server.

Palo Alto Networks customers with a Threat Prevention subscription are advised to verify that they are running the latest content version on their devices and the appropriate action set in their policies. If you have any questions about coverage for this advisory, please contact Support.

For more information on the vulnerability, see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235 or https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability

GHOST: glibc vulnerability (CVE-2015-0235)

Last revised: 02/02/2015

Summary

The open source library “glibc” has been found to contain a recently discovered vulnerability (CVE-2015-0235, commonly referred to as “GHOST”) that has been demonstrated to enable remote code execution in some software. Palo Alto Networks software makes use of the vulnerable library, however there is no known exploitable condition in PAN-OS software enabled by this vulnerability at the time of this advisory. An update to PAN-OS will be made available that addresses CVE-2015-0235 in a regularly scheduled software maintenance update. (Ref # 74443)

Severity: Low

The exploitability of CVE-2015-0235 on vulnerable systems is highly dependent on the architecture and design surrounding use of the vulnerable functions within the system, and exploitable conditions found across various open source software libraries have so far been exceedingly rare. At the time of this advisory, Palo Alto Networks is not aware of any specific remotely exploitable condition enabled by this vulnerability that affects any Palo Alto Networks products.

Products Affected

PAN-OS 6.1.2 and earlier; PAN-OS 6.0.8 and earlier; PAN-OS 5.0.15 and earlier

Available Updates

A patch for the issue described in this bulletin will be made available in a regularly scheduled maintenance update for each supported release of PAN-OS. This bulletin will be updated as the releases are made available.

Workarounds and Mitigations

N/A

Acknowledgements

N/A

Keep up to date with the latest news

The Teneo Technical Support Team will be keeping up to date with all of the latest information and updates, so please get in touch with any questions or concerns at support@teneo.net

To keep up to date with what we know, follow us on Twitter

Comments

0 comments

Article is closed for comments.

Powered by Zendesk