Linux GHOST bug haunts large percentage of enterprise apps

Analysis shows 80% of business-critical apps may be affected

10 February 2015 by Drew Amorosi - Datacenter Dynamics

Linux GHOST bug haunts large percentage of enterprise apps
Thinkstock / boscorelliart

Application security specialist Veracode has released data from its cloud-based security platform showing that 41% of the enterprise-based applications it assessed that rely on the GNU C programming library remain vulnerable as they make requests to unpatched versions of Linux.

GHOST is a major buffer overflow vulnerability (CVE-2015-0235) in the GNU C Library (glibc) that affects all Linux-based systems dating back to 2000. The flaw was recently disclosed by researchers at security vendor Qualys, as affected vendors rushed to issue security patches. Researchers from the firm were able to remotely gain access to a Linux-based email system that used one of the unpatched libraries by exploiting glibc's gethostbyname function; this function is used on almost all networked Linux computers when the machine is called on to access another networked device.

“Cyberattackers can potentially exploit this vulnerability to remotely take control of systems, giving them the ability to delete files, install cyberespionage malware or use the systems as launching points for distributed denial-of-service (DDoS) attacks,” Veracode said in its analysis. “While the vulnerability may have been dormant since 2000,” it added, “there is no way to tell if nation-states, cybercriminals or cyberhacktivists have already been exploiting it. Many applications use the function to perform common operations such as looking up email addresses, ‘pinging’ remote servers to check on their availability, or connecting to remote servers for software updates.”

Veracode’s analysis also found that 80% of the vulnerable enterprise applications it scanned were rated by their owners as either “high” or “very high” on a scale measuring their critical value to the business. “This typically means that the applications are customer-facing or access sensitive databases or back-end systems that execute financial transactions,” the company noted.

“Due to the criticality of this vulnerability, we are recommending that all companies patch their internet-facing Linux servers as soon as possible,” wrote Veracode’s CTO, Chris Wysopal, in a recent blog post. “This could be a timely undertaking, but will be worth the time to avoid a costly breach”, he observed.

Although Wysopal urged organizations to patch the affected Linux machines, he did underscore the likelihood of facing an active GHOST exploit by an attacker. “Unlike with Heartbleed, which was a protocol-level vulnerability, exploiting this vulnerability requires a specially-crafted payload that has been targeted for a specific application and hardware platform. That means you can’t simply reuse the proof-of-concept exploit developed by Qualys (for the Exim mail server) to attack other applications. As a result, GHOST attacks are more likely to be sophisticated and targeted,” he told Threatpost in a recent interview.


Sign in

Forgotten Password?

Create MyDCD account


region LATAM y España North America Europe Em Português Middle East Africa Asia Pacific

Whitepapers View All