Ghost Vulnerability (CVE-2015-0235)

Executive Summary

An alert about a severe vulnerability discovered by the Qualys security team was issued on Tuesday, January 27 2015. This vulnerability allows a local or remote attacker to execute code within the context of an application linked with certain versions of the glibc library. The vulnerability is triggered by a buffer overflow in the gethostbyname() function, called when resolving a hostname to an IP.

Immediate patches are required to fix a vulnerability in glibc that allows arbitrary code execution from unauthenticated users. It is necessary to restart computers or processes following patching.

Ghost enables code execution, arbitrary data disclosure, and system compromise from unauthenticated remote attackers. The ways that a system could be vulnerable to this bug are numerous, and no exhaustive list could be compiled. Patching is required immediately, as a proof-of-concept is soon to be publicly released.

What is vulnerable?

This vulnerability has been in production glibc versions since November 2000, and was patched in source code since May 2013:

  • glibc 2.2 through 2.17 (inclusive) are vulnerable
  • glibc 2.18 through 2.20 (inclusive) are NOT vulnerable
  • prior versions of glibc (<= 2.1.3) are NOT vulnerable

Even if you are not directly using the gethostbyname() function, a large number of software packages incorporate the call and are vulnerable.

Service and software that can be exploited include, but is not limited to:

  • clockdiff
  • procmail
  • pppd (SUID root)
  • Exim Internet Mailer

An exploit has been written against Exim, and a working PoC is soon to be publicly disclosed.

Who is vulnerable?

  • Organizations that ship applications statically linked against vulnerable versions of glibc, or ship appliances built on Linux distributions that have a vulnerable version of glibc. This includes virtual appliances/virtual machines.
  • Organizations or end users that have a Linux desktop or server running with a vulnerable version of glibc, or use applications statically linked against a vulnerable version of glibc. This also extends to appliances and virtual machines. Since this vulnerability has been present in glibc for over a decade, out of date or EOL’d devices are likely to be vulnerable as well.

The following Linux distributions contains a vulnerable version of the glibc:

Ubuntu
10.04 LTSFix availableFixed in libc6 2.11.1-0ubuntu7.20
12.04 LTSFix availableFixed in libc6 2.15-0ubuntu10.10
14 and newerNot vulnerable
Debian
6.x – SqueezeVulnerable
6.x – Squeeze (LTS)Vulnerable
7.x – WheezyVulnerable
7.x – Wheezy (security)Fix AvailableFixed in glib 2.13-38+deb7u7
8.0 – JessieNot vulnerable
Dev – SidNot vulnerable
 

Red Hat Enterprise –
Fix information
Desktop (v. 5)Fix availableFixed in glibc-2.5-123.el5_11.1
Desktop (v. 6)Fix availableFixed in glibc-2.12-1.149.el6_6.5
Desktop (v. 7)Fix availableFixed in glibc-2.17-55.el7_0.5
HPC Node (v. 6)Fix availableFixed in glibc-2.12-1.149.el6_6.5
HPC Node (v. 7)Fix availableFixed in glibc-2.17-55.el7_0.5
Server (v. 5)Fix availableFixed in glibc-2.5-123.el5_11.1
Server (v. 6)Fix availableFixed in glibc-2.12-1.149.el6_6.5
Server (v. 7)Fix availableFixed in glibc-2.17-55.el7_0.5
Server EUS (v. 6.6.z)Fix availableFixed in glibc-2.12-1.149.el6_6.5
Workstation (v. 6)Fix availableFixed in glibc-2.12-1.149.el6_6.5
Workstation (v. 7)Fix availableFixed in glibc-2.17-55.el7_0.5
RHEL 4 ELSFix availableFixed in glibc-2.3.4-2.57.el4.2
 

Mint
13 “Maya”Fix availableTracks Ubuntu 12.04, should get update from Ubuntu servers
17 “Qiana”Not vulnerable
17.1 “Rebecca”Not vulnerable

Gentoo –
libc information
StableNot vulnerable Uses glibc 2.19-r1
Arch –
Fixed in all releases
since August 2013, discussion here and package info here
Anything recentNot vulnerable

Fedora –
Discussion
19 and earlierVulnerableUses glibc 2.17 and earlier
20Not vulnerableUses glibc 2.18
21Not vulnerableUses glibc 2.20

Mandriva Linux
AllVulnerableAppears to use glibc 2.16

openSUSE 
Vulnerability information
Enterprise 11 & olderVulnerable
Enterprise 12Not vulnerable
openSUSE 13.1 & newer Not vulnerable

Slackware
CurrentNot vulnerableUses glibc 2.20
14.1 and earliervulnerableUses glibc 2.17 and earlier
 

Knoppix –
Information about glibc versions
7.2 and earlierVulnerableUses glibc 2.17 and earlier
7.4 and laterNot vulnerableUses glibc 2.19 and later
 

Slax
AllVulnerableAppears to use glibc 2.15

CentOS
CentOS-5Fix availableFixed in glibc-2.5-123.el5_11
CentOS-6Fix availableFixed in glibc-2.12-1.149.el6_6.5
CentOS-7Fix availableFixed in glibc-2.17-55.el7_0.5

Patching

iSEC and Matasano recommend performing the following discovery and remediation steps.

Discovery

First, determine if your Linux is vulnerable. Either consult the table above, contact your vendor, or get the version from the version from the library itself. To do the latter, runlocate libc.so.6 to find the location of your libc, then run that file, and it will print out version information.

Fix

If your distribution has patches available, install those patches. Otherwise:

  • Update to glibc 2.18 or newer
  • Restart all processes that load the glibc library
  • Issue new binaries for software statically linked against a vulnerable version of the glibc library.

Technical Overview

The _nsshostnamedigitsdots() function of the GNU C Library (glibc) is vulnerable to a buffer overflow. This function incorrectly calculates the size of a buffer to allocate, and under certain circumstances, arbitrary data can overwrite adjacent memory resulting in a heap based buffer overflow. While only a maximum of four (4) bytes of memory can be overwritten, it has been demonstrated that this was enough to bypass exploitation mitigations (such as ASLR and PIE) and grant code execution. The__nss_hostname_digits_dots() function is usually not called directly but is called from the gethostbyname() and gethostbyname2() glibc functions.

In practice, this can be exploited whenever the hostname passed is long enough (at least 1KB) and passes other sanity checks:

  • The hostname is composed entirely of digits and dots
  • The hostname starts and ends with a digit
  • The hostname must be of the form of a, a.b, a.b.c or a.b.c.d

References

Published date:  10 February 2015

Written by:  Cyber Security Expert