How To Kill a GHOST: The Next Vulnerability
Bill Malchisky April 10 2015 12:10:00 AM
The first big vulnerability for 2015 launched during IBM ConnectED. With conference and presentation prep the past several weeks, I checked Planet Lotus to see if GHOST was previously covered. Not seeing any posts, I wanted to write about it now.In my opinion, this vulnerability gained less traction than POODLE and Shellshock due to the limited scope. GHOST (CVE-2015-0235) impacts the glibc gethostbyname() and gethostbyname2() calls. Applications using DNS resolution are primarily impacted, but any application utilizing glibc is a potential issue. As most non-hosting companies do not offer public DNS servers, the crisis is somewhat muted especially as the risk becomes internal only. However, the issue's importance became escalated on several sites in my opinion, due to the ease of which one can exploit the vulnerability--which I will intentionally leave undisclosed in this post.
It is important to note that IBM Domino is NOT affected by GHOST.
Additional Reading
Common Vulnerabilities and Exposures' official write-up on CVE-2015-0235, including scores of references links
National Vulnerability Database's summary via the NIST is here, revised 6 April 2015
ZDNet's GHOST article
Checking The Vulnerability
Using the Red Hat Access Lab glibc (GHOST) Detector, one can quickly and easily ascertain the risk. This detector provides a small shell script which you run locally. Just change the permission to add executable access, then run the script. The results will tell you if you are vulnerable or not.
Note: this tool only works for RHEL, CentOS and RHEL based systems
Other options include, the Cyberciti post, and using OpenWall's C script
Fixes
To address this vulnerability, you just need to update the glibc version. If you have a fully patched system, this is trivial. If you have lagged on upgrades over a period of time, you might have several dependencies needing resolution. Each major distro has a page on this issue, with a suggested fix for their build.
Red Hat -- they offer a fix for RHEL4 - RHEL7, with a caveat for RHEL4. They also suggest performing init 6, but recognize that is always less than convenient, so they provide a temporary method of restarting public facing processes in-scope. The full process list running glibc using the older glibc version, viewed through this command:
lsof +c0 -d DEL | awk 'NR==1 || /libc-/ {print $2,$1,$4,$NF}' | column -t
SUSE -- Issue announcement , their bugzilla report and resolution page
Canonical's Ubuntu -- Security Notice USN-2485-1, their CVE-2015-0235 reference sheet, and Wiki reference sheet
CentOS
Debian Linux -- DSA-3142-1, addresses their eglibc, which is their version of glibc
Oracle Linux
Cyberciti.biz -- general testing and fixing for Linux distros with several included flavors
Product Specific -- Red Hat's rhev-hypervisor6 security update
IBM Specific Product Technotes
Technote 1696618 covers their Security Proventia Network Enterprise Scanner product and lists a product fix
Technote 1696526 covers their Security Virtual Server Protection for VMware with includes fixes
Technote 1695835 covers their Security Access Manager for Enterprise SSO Virtual Appliance
Technote 1696243 covers their WebSphere Transformation Extender with Launcher Hypervisor [for RHEL]
Technote 1696602 covers their PureApplication System
Technote 1696600 covers their Workload Deployer
Technote 1695860 covers their QRadar SIEM, QRadar Risk Manager, and QRadar Vulnerability Manager products
Technote 1696546 covers their Tivoli Access Manager for e-business
Technote 1697649 covers Domino not being in-scope
IBM's Product Security Incident Response site lists all of the IBM GHOST related Technotes
- Comments [0]
