GHOST vulnerability affects most Linux systems

Security patches available for many distributions

29 January 2015 by Drew Amorosi - Datacenter Dynamics

GHOST vulnerability affects most Linux systems
Thinkstock / Silmen

A major vulnerability in the GNU C Library (glibc) that affects all Linux-based systems dating back to 2000 was disclosed this week. Researchers at security firm Qualys discovered the GHOST vulnerability (CVE-2015-0235that affects more than a decade's worth of Linux-based machines during an internal code audit.

“Linux GNU C Library (glibc) versions prior to 2.18 are vulnerable to remote code execution via a vulnerability in the gethostbyname function”, explained US-CERT in its alert for GHOST, adding that “Exploitation of this vulnerability may allow a remote attacker to take control of an affected system.”

In its security advisory, the Qualys researchers detailed the exploit, which allows attackers to remotely take control of an affected system without the need for authentication, such as system ID or passwords: “We discovered a buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library (glibc). This bug is reachable both locally and remotely via the gethostbyname*() functions.”

The GHOST moniker comes from the exploit’s relation to the gethostbyname function; in their advisory, the Qualys researchers refer to it as GHOST: glibc gethostbyname buffer overflow.

“The security hole can be triggered by exploiting glibc's gethostbyname functions”, detailed one analysis from ZDNet. “This function is used on almost all networked Linux computers when the computer is called on to access another networked computer either by using the /etc/hosts files or, more commonly, by resolving an Internet domain name with Domain Name System (DNS).

To achieve a successful exploit, it continued, “all an attacker needs to do is trigger a buffer overflow by using an invalid hostname argument to an application that performs a DNS resolution. This vulnerability then enables a remote attacker to execute arbitrary code with the permissions of the user running DNS. In short, once an attacker has exploited GHOST they may be capable of taking over the system.”

In a proof-of-concept attack, Qualys used a specially crafted email sent to a mail server that provided remote access to a Linux machine; the researchers claimed the attack bypasses all existing protections built into 32- and 64-bit Linux systems. They also found that the first vulnerable version of the GNU C Library dated back to Nov. 10, 2000, with the release of glibc-2.2. 

However, a fix for the vulnerability was introduced May 21, 2013, between the release of glibc-2.17 and glibc-2.18. The vulnerability was not identified as a security threat at the time, the researchers noted, and advised that many other popular distributions were still vulnerable: “Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example.”

US-CERT noted in its advisory that patches are already available from Ubuntu and Red Hat, while “GNU C Library versions 2.18 and later are also available for experienced users and administrators to implement.” Debian has also issued a patch for its affected product, and Linux users are urged to check with their vendors on any released or pending security updates related to GHOST.

End of the Internet?

GHOST’s ability to provide attackers with unauthenticated access to a system is of a particular concern, as is the length of time this vulnerability has been active. Yet GHOST as an avenue for attacking purposes, however, seems less of a concern at this point. The real issue is the volume of machines affected by the vulnerability – all of which will need to undergo updates and restarts.

"Given the sheer number of systems based on glibc, we believe this is a high severity vulnerability and should be addressed immediately”, noted Wolfgang Kandek, CTO at Qualys, in a statement.

“To be clear, this is NOT the end of the Internet as we know it, nor is it another Heartbleed. In a general sense, it’s not likely to be an easy bug to exploit,” commented Rapid7 CSO and Metasploit creator HD Moore, in a statement. “Still, it could potentially be nasty if exploited, so we strongly recommend immediate patching and rebooting.  Without a reboot, services using the old library will not be restarted.”


Sign in

Forgotten Password?

Create MyDCD account


region LATAM y España North America Europe Em Português Middle East Africa Asia Pacific

Whitepapers View All