Vulnerability Overview: Ghost (CVE-2015-0235)
JAN 27TH, 2015
Last Updated: Fri Jan 30 16:59:00 UTC 2015
An alert about a severe vulnerability discovered by the Qualys security team was issued on Tuesday, January 27 2015. This vulnerability allows a local or remote attacker to execute code within the context of an application linked with certain versions of the glibc library. The vulnerability is triggered by a buffer overflow in the
gethostbyname() function, called when resolving a hostname to an IP.
Immediate patches are required to fix a vulnerability in glibc that allows arbitrary code execution from unauthenticated users. It is necessary to restart computers or processes following patching.
Ghost enables code execution, arbitrary data disclosure, and system compromise from unauthenticated remote attackers. The ways that a system could be vulnerable to this bug are numerous, and no exhaustive list could be compiled. Patching is required immediately, as a proof-of-concept is soon to be publicly released.
What is vulnerable?
This vulnerability has been in production glibc versions since November 2000, and was patched in source code since May 2013:
- glibc 2.2 through 2.17 (inclusive) are vulnerable
- glibc 2.18 through 2.20 (inclusive) are NOT vulnerable
- prior versions of glibc (<= 2.1.3) are NOT vulnerable
Even if you are not directly using the
gethostbyname() function, a large number of software packages incorporate the call and are vulnerable.
Service and software that can be exploited include, but is not limited to:
- pppd (SUID root)
- Exim Internet Mailer
An exploit has been written against Exim, and a working PoC is soon to be publicly disclosed.
Who is vulnerable?
- Organizations that ship applications statically linked against vulnerable versions of glibc, or ship appliances built on Linux distributions that have a vulnerable version of glibc. This includes virtual appliances/virtual machines.
- Organizations or end users that have a Linux desktop or server running with a vulnerable version of glibc, or use applications statically linked against a vulnerable version of glibc. This also extends to appliances and virtual machines. Since this vulnerability has been present in glibc for over a decade, out of date or EOL’d devices are likely to be vulnerable as well.
The following Linux distributions contains a vulnerable version of the glibc:
|10.04 LTS||fix available||fixed in libc6 2.11.1-0ubuntu7.20|
|12.04 LTS||fix available||fixed in libc6 2.15-0ubuntu10.10|
|14 and newer||not vulnerable|
|6.x - squeeze||vulnerable|
|6.x - squeeze (LTS)||vulnerable|
|7.x - wheezy||vulnerable|
|7.x - wheezy (security)||fix available||fixed in glib 2.13-38+deb7u7|
|8.0 - jesse||not vulnerable|
|dev - sid||not vulnerable|
|Desktop (v. 5)||fix available||fixed in glibc-2.5-123.el5_11.1|
|Desktop (v. 6)||fix available||fixed in glibc-2.12-1.149.el6_6.5|
|Desktop (v. 7)||fix available||fixed in glibc-2.17-55.el7_0.5|
|HPC Node (v. 6)||fix available||fixed in glibc-2.12-1.149.el6_6.5|
|HPC Node (v. 7)||fix available||fixed in glibc-2.17-55.el7_0.5|
|Server (v. 5)||fix available||fixed in glibc-2.5-123.el5_11.1|
|Server (v. 6)||fix available||fixed in glibc-2.12-1.149.el6_6.5|
|Server (v. 7)||fix available||fixed in glibc-2.17-55.el7_0.5|
|Server EUS (v. 6.6.z)||fix available||fixed in glibc-2.12-1.149.el6_6.5|
|Workstation (v. 6)||fix available||fixed in glibc-2.12-1.149.el6_6.5|
|Workstation (v. 7)||fix available||fixed in glibc-2.17-55.el7_0.5|
|RHEL 4 ELS||fix available||fixed in glibc-2.3.4-2.57.el4.2|
|13 “Maya”||fix available||Tracks Ubuntu 12.04, should get update from Ubuntu servers|
|17 “Qiana”||not vulnerable|
|17.1 “Rebecca”||not vulnerable|
|stable||not vulnerable||uses glibc 2.19-r1|
fixed in all releases since August 2013, discussion here and package info here
|anything recent||not vulnerable|
|19 and earlier||vulnerable||uses glibc 2.17 and earlier|
|20||not vulnerable||uses glibc 2.18|
|21||not vulnerable||uses glibc 2.20|
|all||vulnerable||appears to use glibc 2.16|
|Enterprise 11 & older||vulnerable|
|Enterprise 12||not vulnerable|
|openSUSE 13.1 & newer||not vulnerable|
|current||not vulnerable||uses glibc 2.20|
|14.1 and earlier||vulnerable||uses glibc 2.17 and earlier|
information about glibc versions
|7.2 and earlier||vulnerable||uses glibc 2.17 and earlier|
|7.4 and later||not vulnerable||uses glibc 2.19 and later|
|all||vulnerable||appears to use glibc 2.15|
|CentOS-5||fix available||fixed in glibc-2.5-123.el5_11|
|CentOS-6||fix available||fixed in glibc-2.12-1.149.el6_6.5|
|CentOS-7||fix available||fixed in glibc-2.17-55.el7_0.5|
Security Advisory ALAS-2015-473
|2014.09||fix available||fixed in glibc-2.17-55.93.amzn1|
|2014.03||fix available||fixed in glibc-2.17-55.93.amzn1|
|2013.09||fix available||fixed in glibc-2.12-1.149.49.amzn1|
|2013.03||fix available||Update to 2013.09 repos, then glibc-2.12-1.149.49.amzn1|
|2012.09||fix available||Update to 2013.09 repos, then glibc-2.12-1.149.49.amzn1|
|2012.03||fix available||Update to 2013.09 repos, then glibc-2.12-1.149.49.amzn1|
|2011.09||fix available||Update to 2013.09 repos, then glibc-2.12-1.149.49.amzn1|
|pre-2011.09||vulnerable||Unsupported Beta release, upgrade encouraged.|
iSEC and Matasano recommend performing the following discovery and remediation steps.
First, determine if your Linux is vulnerable. Either consult the table above, contact your vendor, or get the version from the version from the library itself. To do the latter, run
locate libc.so.6 to find the location of your libc, then run that file, and it will print out version information.
If your distribution has patches available, install those patches. Otherwise:
- Update to glibc 2.18 or newer
- Restart all processes that load the glibc library
- Issue new binaries for software statically linked against a vulnerable version of the glibc library.
The __nss_hostname_digits_dots() function of the GNU C Library (glibc) is vulnerable to a buffer overflow. This function incorrectly calculates the size of a buffer to allocate, and under certain circumstances, arbitrary data can overwrite adjacent memory resulting in a heap based buffer overflow. While only a maximum of four (4) bytes of memory can be overwritten, it has been demonstrated that this was enough to bypass exploitation mitigations (such as ASLR and NX) and grant code execution. The
__nss_hostname_digits_dots() function is usually not called directly but is called from the
gethostbyname2() glibc functions.
In practice, this can be exploited whenever the hostname passed is long enough (at least 1KB) and passes other sanity checks:
- The hostname is composed entirely of digits and dots
- The hostname starts and ends with a digit
- The hostname must be of the form of
Published date:  27 January 2015
Written by:  Jeremiah Blatz and Valentin Leon