Ghost vulnerability in GNU C Library can be exploited remotely to hijack the Linux System

CVE-2015-0235 Ghost Vulnerability in Glibc poses serious risks for Linux distribution

Security researchers have discovered a critical flaw in the most widely used component of most Linux distributions. Named as Ghost vulnerability, the flaw can be exploited by a potential hacker to take full control of a Linux run PC through remote code execution. The flaw can be exploited just by sending a malicious email to the victim.

Researchers at Qualys disclosed the flaw on Tuesday after many of the Linux distributions had released a patch for the flaw. The flaw has been assigned vulnerability id CVE-2015-0235.

The Ghost Flaw

The  Ghost vulnerability is present in the GNU C Library known as glibc. Glibc is the C library that defines system calls in Linux.  The bug was first discovered to appear in in glibc in 2000. Qualys says that it was fixed on May 21, 2013 in the versions between 2.17 and 2.18.

Apparently the flaws wasnt recognized as a security risk and Linux distributions like Debian 7, Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7 and Ubuntu 12.04 were not modified. Now while doing a code audit, Qualys found the Ghost flaw in glibc.

The flaw in Glibc exposes a buffer overflow that can be triggered locally and remotely in the “gethostbyname” functions. Researchers at Qualys discovered that buffer overflow vulnerability in the __nss_hostname_digits_dots() function of glibc, that can be triggered (locally or remotely) via the gethostbyname*() functions used to resolve hostnames.

Qualys researchers say that they have developed a proof-of-concept attack where sending a specially crafted email to a mail server can give them remote access to a Linux machine. Once they get remote access they can hijack the machine.  Qualys says that the PoC succeeded in bypassing all existing protection systems on both 32-bit and 64-bit systems.

Websense state that they had not seen any web-based or email-based exploitation of this flaw as of today. Further, in a post to the OpenWall security forum Qualys has stated that the vulnerable functions are no longer always called having been replaced by the getaddrinfo() function in IPV6 implementations, that pre-validation of the argument sent to the function removes the potential for exploitation and that glibc itself was patched in 2013. However the flaw has been deemed as critical by Websense.

It is known that the following distributions are amongst those affected: Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04. While big Linux distributions like Red Hat, Debian, Ubuntu and Novell have already issued patch for the vulnerability and you are advised to patch your machine as soon as possible.  You can check whether you machine is vulnerable to Ghost vulnerability by visiting the GitHub here.

LEAVE A REPLY

Please enter your comment!
Please enter your name here