Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Highly critical “Ghost” allowing code execution affects most Linux systems


  • Please log in to reply
17 replies to this topic

#1 NickAu

NickAu

    Bleepin' Fish Doctor


  • Moderator
  • 11,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:09:01 AM

Posted 27 January 2015 - 03:30 PM

 

An extremely critical vulnerability affecting most Linux distributions gives attackers the ability to execute malicious code on servers used to deliver e-mail, host webpages, and carry out other vital functions.

The vulnerability in the GNU C Library (glibc) represents a major Internet threat, in some ways comparable to the Heartbleed and Shellshock bugs that came to light last year. The bug, which is being dubbed "Ghost" by some researchers, has the common vulnerability and exposures designation of CVE-2015-0235. While a patch was issued two years ago, most Linux versions used in production systems remain unprotected at the moment. What's more, patching systems requires core functions or the entire affected server to be rebooted, a requirement that may cause some systems to remain vulnerable for some time to come.

The buffer overflow flaw resides in __nss_hostname_digits_dots(), a glibc function that's invoked by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to call either of these functions could exploit the flaw to execute arbitrary code with the permissions of the user running the application. In a blog post published Tuesday, researchers from security firm Qualys said they were able to write proof-of-concept exploit code that carried out a full-fledged remote code execution attack against the Exim mail server. The exploit bypassed all existing exploit protections available on both 32-bit and 64-bit systems, including address space layout randomization, position independent executions, and no execute protections. Qualys has not yet published the exploit code but eventually plans to make it available as a Metasploit module.

“A lot of collateral damage on the Internet”

The glibc is the most common code library used by Linux. It contains standard functions that programs written in the C and C++ languages use to carry out common tasks. The vulnerability also affects Linux programs written in Python, Ruby, and most other languages because they also rely on glibc. As a result, most Linux systems should be presumed vulnerable unless they run an alternative to glibc or use a glibc version that contains the update from two years ago. The specter of so many systems being susceptible to an exploit with such severe consequences is prompting concern among many security professionals. Besides Exim, other Linux components or apps that are potentially vulnerable to Ghost include MySQL servers, Secure Shell servers, form submission apps, and other types of mail servers.

Highly critical “Ghost” allowing code execution affects most Linux systems

 

.

 



BC AdBot (Login to Remove)

 


m

#2 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,889 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:01 PM

Posted 29 January 2015 - 03:02 AM

With all of the touting of how bulletproof Linux is, I figured it would be just a matter of time before this would be proven to be wrong, and why I run antivirus software of my main Linux Mint 17.1 desktop & the notebook that my wife uses that runs the same OS. 

 

Before anyone reads this article and says this only matters to 1 to 2% of users, that is a very large untruth, much larger than many realizes. It doesn't matter what OS one runs at home, if one is conducting business on the Internet, there's a very high chance that we're doing this on Linux servers, from emailing, banking, making transactions & general Web browsing. Even many of our local ISP's & other utilities are powered by Linux servers, as well as the very component that provides us Internet access, the router we use, be it a $20 or $300 one, if not flashed with custom firmware. 

 

There is not a single supercomputer in the top 20 that is Windows powered, and over half runs Linux. 

 

When we shop, we use Linux to conduct the transaction, and if a 3rd party payment provider is used, then usually that's also done through Linux. This is a big deal. 

 

While there's many things the open source community can fix, much faster than Microsoft can provide, there's others that's elusive, and there's also those in the community, just as any other, whom are dishonest & doesn't want a fix. That's part of why these bugs have just been uncovered, some were probably known by a select few for some time, however there's no way to eradicate the criminal elements involved & this is the case with any brand of OS. 

 

Am hoping that the major Linux developers are on this (surely they are), however there is much work to be done, and to make matters worse, there's those who are doing all in their power to slow progress. Some of the damage was also allowed to be done through lax security procedures by those who are administrating these servers. So it's not just a matter of fixing the underlying issues, it's also one of retraining Linux system administrators to spot exploits & put up a fight against the bad guys.

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#3 Al1000

Al1000

  • Global Moderator
  • 6,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:01 PM

Posted 29 January 2015 - 08:19 AM

I just searched Mint 17.1 for this application and it's not there.

al@desktop-pc ~ $ sudo locate gethostbyname
[sudo] password for al:
/usr/share/doc/python-twisted-names/examples/gethostbyname.py
/usr/share/man/man3/gethostbyname.3.gz
/usr/share/man/man3/gethostbyname2.3.gz
/usr/share/man/man3/gethostbyname2_r.3.gz
/usr/share/man/man3/gethostbyname_r.3.gz
al@desktop-pc ~ $

The manual (man gethostbyname) says:

The gethostbyname*(), gethostbyaddr*(), herror(), and hstrerror() func‐
       tions  are  obsolete.  Applications should use getaddrinfo(3), getname‐
       info(3), and gai_strerror(3) instead.

So at least this vunerability won't affect modern Linux desktop operating systems directly.


Edited by Al1000, 29 January 2015 - 08:21 AM.


#4 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 29 January 2015 - 05:30 PM

gethostbyname is not an application, it is a C library function. The (3) you see in your man page indicates that it is a C Library Function.

So it's not a file you can find with locate/find.

Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#5 Al1000

Al1000

  • Global Moderator
  • 6,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:01 PM

Posted 29 January 2015 - 07:23 PM

Ah, thanks for the info.

Given that the manual says it's obsolete, can it be removed or disabled?

#6 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,889 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:01 PM

Posted 30 January 2015 - 01:34 AM

Am glad to read this in the article that Nick posted, was have been added after the original article was written. 

 

 

 

Update: Red Hat Enterprise Linux 5, has an update here, and readers are reporting a fix is also available for Ubuntu 12.04.

 

Just so happens that yesterday, after an extensive search for a compatible OS, I installed Ubuntu 12.04 (non-PAE version) on my 11 year old IBM ThinkPad T42 that was running only XP Pro, has been running great so far, there couldn't have been a better timing for this fix. So it appears that many are working hard on this issue, and hopefully all affected systems will be patched ASAP. 

 

There is still lots of work to be done, but I trust that the Linux community is capable of handling the task. 

 

I've also noticed in the last couple of weeks, though cannot be 100% for certain if this applies to my Linux Mint OS's & the issue at hand, there's been a more than normal amount of security updates released. 

 

Cat


Edited by cat1092, 30 January 2015 - 01:34 AM.

Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#7 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 30 January 2015 - 08:33 AM

Ah, thanks for the info.

Given that the manual says it's obsolete, can it be removed or disabled?

 

Do you compile your own software for your Linux machines?


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#8 Al1000

Al1000

  • Global Moderator
  • 6,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:01 PM

Posted 02 February 2015 - 04:50 PM

No I don't. I usually use either apt-get or a Package Manager to install software.

#9 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 02 February 2015 - 05:11 PM

Then the answer is no. You can only remove it if you modify the source code.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#10 NickAu

NickAu

    Bleepin' Fish Doctor

  • Topic Starter

  • Moderator
  • 11,779 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:127.0.0.1 Australia
  • Local time:09:01 AM

Posted 03 February 2015 - 01:22 AM

Red Hat, Debian, Ubuntu and Novell have issued fixes. It is advised administrators should patch as soon as possible.

 

The vulnerability, nicknamed “Ghost,” is in the GNU C Library known as glibc.

 

To see version.

ldd --version

The first line of the output will contain the version of eglibc.

nick@Unimatrix-1:~$ ldd --version
ldd (Ubuntu EGLIBC 2.19-0ubuntu6.5) 2.19
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
nick@Unimatrix-1:~$ 

Glibc: GHOST Vulnerability Test To See If a Linux Sever Is Secure

http://www.cyberciti.biz/faq/cve-2015-0235-ghost-glibc-buffer-overflow-linux-test-program/

 

How To Patch and Protect Linux Server Against the Glibc GHOST Vulnerability # CVE-2015-0235

http://www.cyberciti.biz/faq/cve-2015-0235-patch-ghost-on-debian-ubuntu-fedora-centos-rhel-linux/


Edited by NickAu, 03 February 2015 - 01:45 AM.


#11 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,889 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:01 PM

Posted 03 February 2015 - 03:55 AM

Great to hear, Nick! :thumbup2:

 

I had faith that the open source community would put any differences aside, pull together & fix these issues in a timely manner. No beating around the bush, and once tested, shipped right out. 

 

Another reason to consider a Linux based OS, be one's a home or business user, as well as those running servers. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#12 JohnnyJammer

JohnnyJammer

  • Members
  • 1,108 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:QLD Australia
  • Local time:08:01 AM

Posted 03 February 2015 - 05:46 PM

Can i ask how many of you know of any business that has all Linux machines, im talking 50 to 1000 pc's all linux? not just 2 or 3.

Personally i know of none at all. this is why i would say that patches are fast, you have to remember with Microsoft there are literally hundreds and thousands if not millions of differant types of software wether it be custom or not.

 

I think its great that the community releases quick fixes but when it comes to patching Windows OS's you need to realise the scale of the patch, its in the hundreds of millions or even over a billion units.

Any one remember when Apple removed java with out the users consent? LOL, nearly every print manufacturer in Australia went was looking like going down and couldnt print news paper editions!!

 

Not havign a dig at Linux but with the last few patches MS have released, i have been holding out on all servers and been only relasing what i have tested but like i said above, with different hardware types, and software. What works on one doesnt always work with another.

 

Anyway my copies never needed this update because i have never written anythign for Linux!



#13 cat1092

cat1092

    Bleeping Cat


  • BC Advisor
  • 6,889 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:North Carolina, USA
  • Local time:05:01 PM

Posted 04 February 2015 - 02:20 AM

Many US government agencies has mostly Linux computers, and some of these would be easily add up to be in tens of thousands units in use. Other world governments uses Linux also, though it was recently in the news that at least one German city was considering a return to Windows after many years of running Linux, however reports of employee dissatisfaction was exaggerated. 

 

http://www.techrepublic.com/article/no-munich-isnt-about-to-ditch-free-software-and-move-back-to-windows/

 

What was Steve Ballmer's answer to their IT solutions? XP.

 

http://www.techrepublic.com/article/how-munich-rejected-steve-ballmer-and-kicked-microsoft-out-of-the-city/

 

The world's major financial sectors, NYSE & NASDAQ are also Linux powered, as well as large chains of banks across the US & many accounting firms. One of which was doing my tax returns when still working & they had (at the time) over 75 accountants, not to include their assistants. Many universities also has a large number of Linux computers in use, UNC being one of these & less than a 30 minute drive away for me & also Duke University, another 8-10 miles from there. 

 

There has to be a reason why Linux system administrators & their assistants are better compensated than their Windows counterparts. Could be that more IT students chooses the Windows highway instead, leaving a shortage for the Linux arena. This may account for why those who successfully graduates with Linux degrees & certificates are virtually guaranteed employment. 

 

As to local businesses, I have no idea of any who has 50+ Linux systems in use, mainly because am no longer involved in the business community. Though I could understand why that large of a business would deploy Linux, just licensing fees for Windows & Office alone would eat into any IT budget. The savings from running Linux on what would be 'retired' Windows computers alone would pay for in-house support staff, if a free version of Linux were used. If it were a subscription based Linux, it would be hard for me to make that determination, because I don't know the numbers. 

 

At any rate, am glad that these issues were fixed. Furthermore, I agree with JohnnyJammer above, with the sheer number of Windows computers in use worldwide, and 3 actively supported OS's (am counting the Windows 8 family as one), it would indeed be difficult to make these fixes in the same amount of time. However, I feel that 90 days is too long, taking Google's side with transparency. If we're going to be openly discussing Linux vulnerabilities, the playing field should be level, those of Windows/MS Office shouldn't be closed door secrets. 

 

Cat


Performing full disc images weekly and keeping important data off of the 'C' drive as generated can be the best defence against Malware/Ransomware attacks, as well as a wide range of other issues. 


#14 Al1000

Al1000

  • Global Moderator
  • 6,705 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Scotland
  • Local time:10:01 PM

Posted 04 February 2015 - 05:52 AM

Thanks for the info, Didier and Nick. LXLE on my laptop says "not vulnerable"

al@puppypc:~$ ldd --version

ldd (Ubuntu EGLIBC 2.15-0ubuntu10.10) 2.15

Copyright (C) 2012 Free Software Foundation, Inc.

This is free software; see the source for copying conditions.  There is NO

warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Written by Roland McGrath and Ulrich Drepper.
al@puppypc:~$ wget https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c

--2015-02-04 10:43:21--  https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c

Resolving webshare.uchicago.edu (webshare.uchicago.edu)... 128.135.22.61

Connecting to webshare.uchicago.edu (webshare.uchicago.edu)|128.135.22.61|:443... connected.

HTTP request sent, awaiting response... 200 OK

Length: 1046 (1.0K) [text/x-csrc]

Saving to: `GHOST.c'



100%[=================================>] 1,046       --.-K/s   in 0s      



2015-02-04 10:43:24 (89.3 MB/s) - `GHOST.c' saved [1046/1046]



al@puppypc:~$ gcc -o GHOST GHOST.c

al@puppypc:~$ ./GHOST

not vulnerable

al@puppypc:~$





#15 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,620 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:01 PM

Posted 04 February 2015 - 03:25 PM

 

Thanks for the info, Didier and Nick. LXLE on my laptop says "not vulnerable"



al@puppypc:~$ gcc -o GHOST GHOST.c

 

You see, you do compile your software ;-)


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users