I ain't afraid of no GHOST – securo-bods
Serious – but it's no Heartbleed
The latest high-profile security vulnerability affecting Linux systems is serious but nowhere near as bad as the infamous Heartbleed flaw, according to security experts.
Hackers might be able to use the so-called GHOST flaw to plant malware or seize control of some Linux-based systems.
Security researchers at cloud security firm Qualys found a critical vulnerability in Linux, specifically the GNU C Library (glib). The vulnerability – nicknamed “GHOST” – allows attackers to remotely hack into vulnerable systems without any passwords or administrator credentials.
GHOST (CVE-2015-0235), which can be triggered by the gethostbyname functions, impacts many systems built on Linux, starting with glibc-2.2 released in November 10, 2000. A proof-of-concept exploit developed by Qualys might be used against the Exim mail server, which is the default mail transfer agent on Debian Linux systems.
During testing, however, Qualys discovered the majority of other widely used applications and servers are not vulnerable even though they use the affected function. Technologies left unscathed include Apache, mariadb/mysql, nfs-utils, openldap, openSSH, postfix, pure-ftpd, Samba, Sendmail, tcp_wrappers and others.
A fix released on May 2013 (between the releases of glibc-2.17 and glibc-2.18) is capable of mitigating the affect of the vulnerability. Unfortunately, this fix was not classified as a security advisory at the time. As a result, many distributions were left exposed to the vulnerability including: Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04.
Qualys has worked closely with Linux distributors to develop software updates ahead of going public about the vulnerability on Monday, following this up with a blog post aimed at a more mainstream IT community audience.
“GHOST poses a remote code execution risk that makes it incredibly easy for an attacker to exploit a machine," warned Wolfgang Kandek, chief technical officer for Qualys. "For example, an attacker could send a simple email on a Linux-based system and automatically get complete access to that machine.”
“Given the sheer number of systems based on glibc, we believe this is a high severity vulnerability and should be addressed immediately. The best course of action to mitigate the risk is to apply a patch from your Linux vendor,” Kandek concluded.
Veracode CTO and co-founder Chris Wysopal warned that the newly-discovered GHOST vulnerability affected multiple Linux systems.
"This is a serious vulnerability because it's high impact when exploited and is very widespread, since there are many public-facing Linux systems that are vulnerable and easily accessible by cyberattackers," Wysopal explained. "For example, attackers can now use this vulnerability to remotely install cyber-espionage malware or turn machines into botnet "zombies" that execute DDoS attacks on demand."
Like Heartbleed and Shellshock before it, GHOST stems from coding flaws in a widely reused open source component, Wysopal added.
"This is yet another example, like Heartbleed and Shellshock, of a reusable open source component that is widely-used and also quite vulnerable. In our research, we've found that open source components such as glibc introduces an average of twenty-four known vulnerabilities into each web application. GHOST won’t be as widespread as Heartbleed and Shellshock, but it's widespread enough that IT operations teams at many companies are now scrambling to find all instances to they can patch them ASAP," he concluded.
H.D. Moore, chief research officer at Rapid7, the firm behind the widely used Metasploit penetration testing tool, warned that Linux-based network appliances may also be vulnerable.
“Linux-based appliances from a variety of vendors are going to be impacted, though as with most library-level vulnerabilities, the attack surface is still largely unknown," Moore said. "If you use Linux-based appliances, check with your vendor to determine whether an update is available and needs to be applied."
Moore agreed with other experts that Ghost - although worthy of immediate triage - was nowhere near as serious as the infamous Heartbleed OpenSSL security vulnerability.
"To be clear, this is NOT the end of the Internet as we know it, nor is it another Heartbleed. In a general sense, it’s not likely to be an easy bug to exploit. One easily-exploitable case identified so far is the Exim mail server. An attacker could abuse this vulnerability to execute arbitrary commands on an unpatched server."
"Still, it could potentially be nasty if exploited so we strongly recommend immediate patching and rebooting. Without a reboot, services using the old library will not be restarted,” Moore concluded.
Further technical analysis of the GHOST vulnerability by security researchers lcamtuf can be found here. ®