NetFort Advertising

I ain’t afraid of no GHOST (CVE-2015-0235)

gethostbyname

Ghost Vulnerability

The first big vulnerability of this year is out and what is it’s name? GHOST! Discovered by Qualys, it is exploiting a serious weakness in the glibc library which then allows a threat agent to compromise a system and gain full remote access to the target without any prior knowledge of system credentials.

Qualys have worked closely with Linux distribution vendors and have released the advisory in the link above yesterday. Patches are available for all distributions as of yesterday the 27th of January.

This vulnerability actually goes back as far as glibc-2.2 which was released on November 10, 2000. Yet another OLD vulnerability which is 15 years old. Once the automated scripts start to scan you better make sure that you are patched. It is only a matter of time really.

So what is GHOST?

It’s a ‘buffer overflow’ bug which affects the gethostbyname() and gethostbyname2() function calls in the glibc library. This then allows the Threat agent to make an application call to either of these functions and execute arbitrary code with the permissions of the user running the application.

How does it work?

Simply put, in order to exploit this the gethostbyname() function calls which are used for resolving DNS have a buffer overflow triggered by supplying an invalid hostname argument to an application that performs a DNS resolution.

What now?

Remediate and make sure all your systems are up to date in order to mitigate this threat to your network. We are currently working on a signature update for LANGuardian so you can check for exploit attempts on your network.

Test if your system is vulnerable or not with the following script:

#!/bin/bash
# rhel-GHOST-test.sh –  GHOST vulnerability tester. Only for CentOS/RHEL based servers.  #
# Credit : Red Hat, Inc – https://access.redhat.com/labs/ghost/ #
vercomp () {
   if [[ $1 == $2 ]]
   then
       return 0
   fi
   local IFS=.
   local i ver1=($1) ver2=($2)
   # fill empty fields in ver1 with zeros
   for ((i=${#ver1[@]}; i<${#ver2[@]}; i++))
   do
       ver1[i]=0
   done
   for ((i=0; i<${#ver1[@]}; i++))
   do
       if [[ -z ${ver2[i]} ]]
       then
           # fill empty fields in ver2 with zeros
           ver2[i]=0
       fi
       if ((10#${ver1[i]} > 10#${ver2[i]}))
       then
           return 1
       fi
       if ((10#${ver1[i]} < 10#${ver2[i]}))
       then
           return 2
       fi
   done
   return 0
}

glibc_vulnerable_version=2.17
glibc_vulnerable_revision=54
glibc_vulnerable_version2=2.5
glibc_vulnerable_revision2=122
glibc_vulnerable_version3=2.12
glibc_vulnerable_revision3=148
echo “Vulnerable glibc version <=” $glibc_vulnerable_version“-“$glibc_vulnerable_revision
echo “Vulnerable glibc version <=” $glibc_vulnerable_version2“-“$glibc_vulnerable_revision2
echo “Vulnerable glibc version <=” $glibc_vulnerable_version3“-1.”$glibc_vulnerable_revision3

glibc_version=$(rpm -q glibc | awk -F“[-.]” ‘{print $2″.”$3}’ | sort -u)
if [[ $glibc_version == $glibc_vulnerable_version3 ]]
then
   glibc_revision=$(rpm -q glibc | awk -F“[-.]” ‘{print $5}’ | sort -u)
else
   glibc_revision=$(rpm -q glibc | awk -F“[-.]” ‘{print $4}’ | sort -u)
fi
echo “Detected glibc version” $glibc_version” revision “$glibc_revision

vulnerable_text=$“This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Please refer to <https://access.redhat.com/articles/1332213> for remediation steps”

if [[ $glibc_version == $glibc_vulnerable_version ]]
then
   vercomp $glibc_vulnerable_revision $glibc_revision
elif [[ $glibc_version == $glibc_vulnerable_version2 ]]
then
   vercomp $glibc_vulnerable_revision2 $glibc_revision
elif [[ $glibc_version == $glibc_vulnerable_version3 ]]
then
   vercomp $glibc_vulnerable_revision3 $glibc_revision
else
   vercomp $glibc_vulnerable_version $glibc_version
fi

case $? in
   0) echo “$vulnerable_text”;;
   1) echo “$vulnerable_text”;;
   2) echo “Not Vulnerable.”;;
esac

If vulnerable you will then see the following output below:

CVE-2015-0235 Ghost

Keith Bennett

Support Engineer