Linux Systems Are Being Affected by Critical GHOST Vulnerability

Linux Systems Are Being Affected by Critical GHOST Vulnerability

An exceedingly critical vulnerability has been detected in the GNU C Library (glibc), a component that is broadly used by most Linux distributions. This allows attackers to eliminate malicious code on servers and get control of Linux machines, remotely.

The vulnerability, called ‘GHOST’ and assigned CVE-2015-0235, was found by security researchers from Redwood Shores, a security firm called Qualys in California.

The Vulnerability Is as Critical as Shellshock and Heartbleed

GHOST is being considered as very critical as hackers can exploit it to gain full control of the targeted Linux system, without having any knowledge of system credentials like administrative passwords.

The defect represents a huge threat to the internet, which in some ways is similar to Shellshock, Heartbleed and Poodle bugs that came in the limelight last year.

Why Is It Being Called GHOST?

The GNU C Library (glibc) vulnerability is being called GHOST as it can be triggered by the library’s functions of gethostbyname family. Glibc is an archive of open-source software, which is written in the C and C++ coding languages.

The problem originated from a heap-based buffer overflow that has been found in the _nss_hostname_digits_dots() glibc function. This function is specially called upon by _gethostbyname and gethostbyname2() function calls.

According to research, a remote attacker has the capacity to call any of these functions that allows them to exploit the vulnerability in an attempt to eliminate arbitrary code, with the user having permissions to run the application.

Exploit Code

In an effort to point out the severity of the risk, researchers were able to write exploit code that is proof-of-concept and is capable of carrying full-fledged remote code execution attack against Exim mail server.

The researcher’s were able to bypass all kinds of exploit protections (like PIE, ASLR and NX), which are available on 32-bit and 64-bit systems, along with position independent executions, no execute protections and address space layout randomization.

Using the exploit, malicious emails can be crafted by an attacker, which can automatically compromise a server that is vulnerable, without even opening the email.

Versions that are affected by this vulnerability are Glibc versions, as far as glibc-2.2, released in 2000.

How to Check Your System for the GHOST Vulnerability
Step 1:

Login into the system as root user and run the following command.

wget https://gist.githubusercontent.com/koelling/ef9b2b9d0be6d6dbab63/raw/de1730049198c64eaf8f8ab015a3c8b23b63fd34/gistfile1.c

1

As can be seen in the above screen shot that command was successfully executed and a file name gistfile1.c was saved into the folder.

Step: 2

Now compile the file with gcc compiler and make it executable. The command is following.

gcc gistfile1.c -o CVE-2015-0235

2

After compilation we can see the output file is CVE-2015-0235. Now execute this file. If you server is vulnerable for vulnerability you can see the “Vulnerable” in the output of the program.

Solutions Available for Some Linux Distributions

Linux operating system distributers such as Debian, Red Hat and Ubuntu, updated their software in order to thwart the critical cyber threat. To update the systems, core functions or the complete affected server reboot is required.

Update Steps:

You can run the following command to update the package, which is exposed to this vulnerability.

3

In order to eliminate any potential risk, it is recommended to customers that they update their systems as soon as possible.

After rebooting the system run the same the command again, to see if you are still vulnerable or not.

4

After updating the system and running the same program, the screen shows that the system is ‘not vulnerable’.

References:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235



Let us know what you think