{"id":247,"date":"2015-01-29T04:41:34","date_gmt":"2015-01-28T21:41:34","guid":{"rendered":"http:\/\/www.seven-stones.biz\/blog\/?p=247"},"modified":"2015-01-29T04:41:34","modified_gmt":"2015-01-28T21:41:34","slug":"ghost-buffer-overflow-in-glibc-library","status":"publish","type":"post","link":"https:\/\/www.seven-stones.biz\/blog\/ghost-buffer-overflow-in-glibc-library\/","title":{"rendered":"Ghost &#8211; Buffer Overflow in glibc Library"},"content":{"rendered":"<p>In the early hours of 28<sup>th<\/sup> January GMT+0 2015, news started to go mainstream about vulnerability in the open source glibc library. The issue has been given the vulnerability marketing term \u201cGhost\u201d (the name derives from the fact that the vulnerability arises because of an exploitable bug in the <strong><span style=\"text-decoration: underline;\">g<\/span><\/strong>et<strong><span style=\"text-decoration: underline;\">host<\/span><\/strong>byname() function).<\/p>\n<p>The buffer overflow vulnerability has been given the CVE reference <a href=\"http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2015-0235\">CVE-2015-0235<\/a>.<\/p>\n<p><a href=\"http:\/\/www.gnu.org\/software\/libc\">glibc<\/a> is not a program as such. It\u2019s a library that is shared among one or more programs. It is most commonly found on systems running some form of Linux as an operating system.<\/p>\n<p><em><strong><a title=\"Redhat's Ghost write-up\" href=\"https:\/\/access.redhat.com\/articles\/1332213\">Redhat mention on their site<\/a> that DNS resolution uses the gethostbyname() function and this condition has supposedly been shown to be vulnerable. This makes the Ghost issue much more critical than many are claiming.<\/strong><\/em><\/p>\n<p>As with most things in security, the answer to the question \u201cis it dangerous for me\u201d is \u201cit depends\u201d &#8211; sorry &#8211; there is no simple binary yes or no here. Non-vulnerable versions of glibc have been available for some time now, so if the installation of the patch (read the last section on \u201cMitigation\u201d for details) is non-disruptive, then just upgrade.<\/p>\n<p>Most advisories are recommending the immediate installation of a patch, but read on\u2026<\/p>\n<h2>Impact<\/h2>\n<p>glibc is a core component of Linux. The vulnerability impacts most Linux distributions released circa 2000 to mid-2013. This means that, similar to <a title=\"Heartbleed\" href=\"http:\/\/heartbleed.com\/\">Heartbleed<\/a>, it affects a wide range of applications that happen to call the vulnerable function.<\/p>\n<p>Giving credit to the open source dev team, the bug was fixed in 2013 but some vendors continued to use older branches of glibc.<\/p>\n<p><strong><em>If the issue is successfully exploited, unauthorised commands can be executed locally or remotely.<\/em><\/strong><\/p>\n<p>To be clear: this bug is remotely exploitable. So far at least one attack vector has been identified and tested successfully. Exim mail server uses the glibc library and it was found to be remotely exploitable thru a listening SMTP service. But again \u2013 its not as simple as \u201cI run Exim therefore I am vulnerable\u201d. The default configuration of Exim is not vulnerable.<\/p>\n<p>Just as with <a href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2014-6271\">Shellshock<\/a>, a handful of attack vectors were identified immediately and more began to surface over the following weeks. The number of \u201cchannels\u201d, or \u201cattack vectors\u201d by which the vulnerability may be exploited determines the likelihood that an attack may be attempted against an organisation.<\/p>\n<p>Also, just as with Shellshock, it cannot be said with any decisiveness whether or not the exploit of the issue gains immediate root access. It is not chiselled in stone that mail servers need to run with root privileges, but if the mail server process is running as root, then root will be gained by a successful exploit. It is safer to assume that immediate root access would be gained.<\/p>\n<p>More recent versions of Exim mail server on Ubuntu 14 run under the privileges of the \u201cDebian-exim\u201d user, which is not associated with a command shell, but also default Ubuntu installations will be easy for moderately skilled attackers to compromise completely.<\/p>\n<p>So there is a possibility that remote, unauthenticated access can be gained with root privileges.<\/p>\n<p>Just as with Shellshock, we can expect there to be automated BOT \u2013 initiated scanners that look for signs of exploitable services on the public Internet and attempt to gain local access if a suitable candidate is found.<\/p>\n<p>At the time of writing, Rapid 7 have said they are working on a <a href=\"http:\/\/www.metasploit.com\">Metasploit<\/a> test for the condition, which as well as allowing organisations to test for their vulnerability to Ghost, also of course permits lower skilled attackers to exploit the issue.<\/p>\n<p>Another example of an exploitable channel is Rapid 7\u2019s own tool Nexpose, which if running on an Ubuntu 12 appliance, will be vulnerable. However this will not be remotely exploitable.<\/p>\n<p><a title=\"Redhat's Ghost write-up\" href=\"https:\/\/access.redhat.com\/articles\/1332213\">Redhat mention on their site<\/a> that DNS resolution also uses the gethostbyname() function and \u201cto exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution\u201d. <strong><em>If this is true, then the seriousness of Ghost increases exponentially because DNS is a commonly \u201cexposed\u201d service thru Internet-facing firewalls.<\/em><\/strong><\/p>\n<p>A lot of software on Linux systems uses glibc. From this point of view, its likely there could be a lot more attack vectors appearing with Ghost as compared with Shellshock. Shellshock was a BASH vulnerability and BASH is present on most Linux systems. However, the accessibility of BASH from a remote viewpoint is likely to be less than that of Ghost.<\/p>\n<h2>Risk Evaluation<\/h2>\n<p>There is \u201chow can it be fixed?\u201d but first there is \u201cwhat\u00a0<em>should<\/em>\u00a0we do about it?\u201d \u2013 a factor that depends on business risk.<\/p>\n<p>When the information security community declares the existence of new vulnerability, the risks to organisations cannot categorically be given even base indicators of \u201chigh\u201d, \u201cmedium\u201d, or \u201clow\u201d, mainly because different organisations, even in the same industry sector, can have radically differing exposure to the vulnerability. Factors such as network segmentation can have mitigating effects on vulnerability, whereas the commonplace DMZ plus flat RFC 1918 private space usually vastly increases the potential financial impact of an attack.<\/p>\n<p>Take a situation where a vulnerable Exim mail service listens exposed to the public Internet, and exists in a DMZ with a flat, un-segmented architecture, the risk here is considerable. Generally with most networks, one host falls on a network, and then others can fall rapidly after this.<\/p>\n<p>Each organisation will be different in terms of risk. We cannot even draw similarities between organisations in the same industry sector. Take a bank for example: if a bank exposes a vulnerable service to the Internet, and has a flat network as described above, it can be a matter of minutes before a critical database is compromised.<\/p>\n<p>As always the cost of patching should be evaluated against the cost of not patching. In the case of Ghost, the former will be a lot cheaper in many cases. Remember that increasing numbers of attack vectors will become apparent with time. <strong><em>A lot of software uses glibc!! Try uninstalling glibc on a Linux system using a package manager such as Aptitude, and this fact becomes immediately apparent.<\/em><\/strong><\/p>\n<h2>Mitigation<\/h2>\n<p>Ubuntu versions newer than 12.04 have already been upgraded to a non-vulnerable glibc library. Older Ubuntu versions (as well other Linux distributions) are still using older versions of glibc and are either waiting on a patch or a patch is already available.<\/p>\n<p>Note that several services may be using glibc so patching should not take place until all dependencies are known and impacts evaluated.<\/p>\n<p>The machine will need a reboot after the upgrade of glibc.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the early hours of 28th January GMT+0 2015, news started to go mainstream about vulnerability in the open source glibc library. The issue has been given the vulnerability marketing term \u201cGhost\u201d (the name derives from the fact that the &hellip; <a href=\"https:\/\/www.seven-stones.biz\/blog\/ghost-buffer-overflow-in-glibc-library\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-247","post","type-post","status-publish","format-standard","hentry","category-general"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.4 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Ghost - Buffer Overflow in glibc Library - Security Macromorphosis<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.seven-stones.biz\/blog\/ghost-buffer-overflow-in-glibc-library\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Ghost - Buffer Overflow in glibc Library - Security Macromorphosis\" \/>\n<meta property=\"og:description\" content=\"In the early hours of 28th January GMT+0 2015, news started to go mainstream about vulnerability in the open source glibc library. The issue has been given the vulnerability marketing term \u201cGhost\u201d (the name derives from the fact that the &hellip; Continue reading &rarr;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.seven-stones.biz\/blog\/ghost-buffer-overflow-in-glibc-library\/\" \/>\n<meta property=\"og:site_name\" content=\"Security Macromorphosis\" \/>\n<meta property=\"article:published_time\" content=\"2015-01-28T21:41:34+00:00\" \/>\n<meta name=\"author\" content=\"itibble@gmail.com\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@seven_stones\" \/>\n<meta name=\"twitter:site\" content=\"@seven_stones\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"itibble@gmail.com\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/ghost-buffer-overflow-in-glibc-library\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/ghost-buffer-overflow-in-glibc-library\\\/\"},\"author\":{\"name\":\"itibble@gmail.com\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#\\\/schema\\\/person\\\/dd7adbe0152f2279b133661b823e0c28\"},\"headline\":\"Ghost &#8211; Buffer Overflow in glibc Library\",\"datePublished\":\"2015-01-28T21:41:34+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/ghost-buffer-overflow-in-glibc-library\\\/\"},\"wordCount\":1105,\"commentCount\":1,\"articleSection\":[\"General\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/ghost-buffer-overflow-in-glibc-library\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/ghost-buffer-overflow-in-glibc-library\\\/\",\"url\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/ghost-buffer-overflow-in-glibc-library\\\/\",\"name\":\"Ghost - Buffer Overflow in glibc Library - Security Macromorphosis\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#website\"},\"datePublished\":\"2015-01-28T21:41:34+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#\\\/schema\\\/person\\\/dd7adbe0152f2279b133661b823e0c28\"},\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/ghost-buffer-overflow-in-glibc-library\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/ghost-buffer-overflow-in-glibc-library\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/ghost-buffer-overflow-in-glibc-library\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Ghost &#8211; Buffer Overflow in glibc Library\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/\",\"name\":\"Security Macromorphosis\",\"description\":\"Ian Tibble&#039;s Security Blog\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.seven-stones.biz\\\/blog\\\/#\\\/schema\\\/person\\\/dd7adbe0152f2279b133661b823e0c28\",\"name\":\"itibble@gmail.com\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g\",\"caption\":\"itibble@gmail.com\"},\"description\":\"Author of Security De-engineering, CTO at Seven Stones (Indonesia)\",\"sameAs\":[\"http:\\\/\\\/www.seven-stones.biz\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Ghost - Buffer Overflow in glibc Library - Security Macromorphosis","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.seven-stones.biz\/blog\/ghost-buffer-overflow-in-glibc-library\/","og_locale":"en_US","og_type":"article","og_title":"Ghost - Buffer Overflow in glibc Library - Security Macromorphosis","og_description":"In the early hours of 28th January GMT+0 2015, news started to go mainstream about vulnerability in the open source glibc library. The issue has been given the vulnerability marketing term \u201cGhost\u201d (the name derives from the fact that the &hellip; Continue reading &rarr;","og_url":"https:\/\/www.seven-stones.biz\/blog\/ghost-buffer-overflow-in-glibc-library\/","og_site_name":"Security Macromorphosis","article_published_time":"2015-01-28T21:41:34+00:00","author":"itibble@gmail.com","twitter_card":"summary_large_image","twitter_creator":"@seven_stones","twitter_site":"@seven_stones","twitter_misc":{"Written by":"itibble@gmail.com","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.seven-stones.biz\/blog\/ghost-buffer-overflow-in-glibc-library\/#article","isPartOf":{"@id":"https:\/\/www.seven-stones.biz\/blog\/ghost-buffer-overflow-in-glibc-library\/"},"author":{"name":"itibble@gmail.com","@id":"https:\/\/www.seven-stones.biz\/blog\/#\/schema\/person\/dd7adbe0152f2279b133661b823e0c28"},"headline":"Ghost &#8211; Buffer Overflow in glibc Library","datePublished":"2015-01-28T21:41:34+00:00","mainEntityOfPage":{"@id":"https:\/\/www.seven-stones.biz\/blog\/ghost-buffer-overflow-in-glibc-library\/"},"wordCount":1105,"commentCount":1,"articleSection":["General"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.seven-stones.biz\/blog\/ghost-buffer-overflow-in-glibc-library\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.seven-stones.biz\/blog\/ghost-buffer-overflow-in-glibc-library\/","url":"https:\/\/www.seven-stones.biz\/blog\/ghost-buffer-overflow-in-glibc-library\/","name":"Ghost - Buffer Overflow in glibc Library - Security Macromorphosis","isPartOf":{"@id":"https:\/\/www.seven-stones.biz\/blog\/#website"},"datePublished":"2015-01-28T21:41:34+00:00","author":{"@id":"https:\/\/www.seven-stones.biz\/blog\/#\/schema\/person\/dd7adbe0152f2279b133661b823e0c28"},"breadcrumb":{"@id":"https:\/\/www.seven-stones.biz\/blog\/ghost-buffer-overflow-in-glibc-library\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.seven-stones.biz\/blog\/ghost-buffer-overflow-in-glibc-library\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.seven-stones.biz\/blog\/ghost-buffer-overflow-in-glibc-library\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.seven-stones.biz\/blog\/"},{"@type":"ListItem","position":2,"name":"Ghost &#8211; Buffer Overflow in glibc Library"}]},{"@type":"WebSite","@id":"https:\/\/www.seven-stones.biz\/blog\/#website","url":"https:\/\/www.seven-stones.biz\/blog\/","name":"Security Macromorphosis","description":"Ian Tibble&#039;s Security Blog","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.seven-stones.biz\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.seven-stones.biz\/blog\/#\/schema\/person\/dd7adbe0152f2279b133661b823e0c28","name":"itibble@gmail.com","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/4efc9caa4c914912bcf9dd199b33f34a0d42e56752f4f713cd8d0c5416733603?s=96&d=mm&r=g","caption":"itibble@gmail.com"},"description":"Author of Security De-engineering, CTO at Seven Stones (Indonesia)","sameAs":["http:\/\/www.seven-stones.biz"]}]}},"_links":{"self":[{"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/posts\/247","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/comments?post=247"}],"version-history":[{"count":2,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/posts\/247\/revisions"}],"predecessor-version":[{"id":249,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/posts\/247\/revisions\/249"}],"wp:attachment":[{"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/media?parent=247"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/categories?post=247"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.seven-stones.biz\/blog\/wp-json\/wp\/v2\/tags?post=247"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}