All you need to know about the 'GHOST' vulnerability

A sysadmin's nightmare

Another vulnerability shocked the world of technology and the Linux community earlier this week. The Qualys security research team found a critical vulnerability in the Linux GNU C Library (glibc) that allows attackers to remotely take control of an entire system without having any prior knowledge of system credentials according to the security outfit.

What does it mean for you as an Internet user and what does it mean for Linux system administrators? Was it really a shocking event? Here's everything you need to know in seven short questions.

1. What is "GHOST"?

"GHOST" is the name of a vulnerability recently found in one of the key components of Linux systems. The component is the Linux GNU C Library that is used by all Linux programs. The vulnerability has been found in a function of this library that is used to convert Internet host names to Internet addresses.

If an attacker found vulnerable software and a way to transfer a properly crafted host name up to this function then theoretically the attacker could take over the control of the system.






2. How widespread is it?

This vulnerability affects almost all major Linux distributions, except a few such as Ubuntu 14.04. Millions of servers on the Internet contain this vulnerability.

What does it mean? It means that the vulnerability exists on servers but there should be certain conditions met to render the server remotely attackable. According to Qualys' report, they have found an email server software called Exim that is remotely exploitable. There is no recent and full deployment share report showing how many public Exim servers are on the Internet, however it has a measurable "market" share but according to some old reports it's just a few percent.

Note that to have an exploitable Exim-based email server one has to configure extra security checks for the HELO and EHLO commands of the SMTP protocol. Fortunately Qualys found that many well-known Linux-based web, email and other server software are not affected by this vulnerability like Apache, nginx, OpenSSH, syslog-ng.

So we can say that apart from that the vulnerability could be found on many servers actually the remotely attackable share of these servers is low.

3. How can I secure my Exim email server?


Source:
http://www.techradar.com/news/software/security-software/all-you-need-to-know-about-the-ghost-vulnerability-1282919

Ghostbusting in the 'critically' vulnerable Linux machine

Whose afraid of GHOSTs? Disagreement over potential risks of new Linux vulnerability, but layered defence is recommended.

Security vendor Qualys has exposed and defined a new critical Linux vulnerability in the Linux GNU C Library (versions 2.2 and newer) that is capable of instigating remote code execution in some cases. The threat could lead to malicious control over user devices and system installations that date back to year 2000.

Known formally as CVE-2015-0235, the threat is more jauntily named GHOST because it can be triggered by the "_gethostbyname" function, a networked computing control used by a vast number of machines.






Qualys CTO Wolfgang Kandek has said that the flaw could allow attackers to gain remote control of a system without having any prior knowledge of system credentials. An attacker could send a simple email on a Linux-based system to trigger a buffer overflow and automatically get complete access to that machine.
Danger disclosure dilemma

Szilard Stange, director at software management toolkit and malware scanning company Opswat, asserts that vulnerabilities like this bring into question exactly how we as an industry handle the wider disclosure process. This is because, according to Opswat investigation, many distributions were not affected by this vulnerability like the latest long-term-support release of Ubuntu.

“Many distributions [had] released an update to the vulnerable software about a week before the publication date and many others have released updates on the same day, like Red Hat and Debian. All the updates were released as a result of the coordination of the disclosure process. We can say that all major Linux distributions had the fix released on the same day of security advisory release,” Strange told SCMagazineUK.com.

Read more :
http://www.scmagazineuk.com/ghostbusting-in-the-critically-vulnerable-linux-machine/article/395105/

Remotely exploitable ‘GHOST’ bug strikes all Linux distros

Researchers have discovered a serious vulnerability affecting multiple distributions of the Linux OS. While there are patches available the clean up effort is likely to going be a major task for Linux admins.

A round of patches were released today to fix a critical Linux bug, dubbed GHOST, which is a remotely exploitable flaw in Linux distributions and could allow an attacker to take control of a vulnerable Linux machine.




The bug was discovered during a code review by vulnerability management firm Qualys. The company said that it had developed a proof of concept (PoC) attack “in which we send a specially created e-mail to a mail server and can get a remote shell to the Linux machine”. In other words, the risk will become very real when the company releases the exploit, which it plans to do in coming months.

The reason they’ve called the bug GHOST, which has been assigned CVE-2015-0235, is that it can be triggered by GetHOST functions.


Source:
http://www.cso.com.au/article/564898/remotely-exploitable-ghost-bug-strikes-all-linux-distros/