You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by "linuxbqj@gmail.com" <li...@gmail.com> on 2015/01/28 11:04:51 UTC
GHOST glibc Remote Code Execution Vulnerability Affects All Linux
Systems - See more at: https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sthash.3JH6GJTL.dpuf
A critical vulnerability has been found in glibc, the GNU C library,
that affects all Linux systems dating back to 2000. Attackers can use
this flaw to execute code and remotely gain control of Linux machines.
The issue stems from a heap-based buffer overflow found in the
__nss_hostname_digits_dots() function in glibc. That particular
function is used by the _gethostbyname function calls.
Related Posts
Shellshock Worm Exploiting Unpatched QNAP NAS Devices
December 15, 2014 , 11:35 am
Linux Modules Connected to Turla APT Discovered
December 9, 2014 , 10:26 am
Bash Exploit Reported, First Round of Patches Incomplete
September 25, 2014 , 11:41 am
“A remote attacker able to make an application call either of these
functions could use this flaw to execute arbitrary code with the
permissions of the user running the application,” said an advisory
from Linux distributor Red Hat.
The vulnerability, CVE-2015-0235, has already been nicknamed GHOST
because of its relation to the _gethostbyname function. Researchers at
Qualys discovered the flaw, and say it goes back to glibc version 2.2
in Linux systems published in November 2000.
According to Qualys, there is a mitigation for this issue that was
published May 21, 2013 between patch glibc-2.17 versions and
glibc-2.18.
“Unfortunately, it was not recognized as a security threat; as a
result, most stable and long-term-support distributions were left
exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6
& 7, CentOS 6 & 7, Ubuntu 12.04, for example,” said an advisory from
Qualys posted to the OSS-Security mailing list.
Respective Linux distributions will be releasing patches; Red Hat has
released an update for Red Hat Enterprise Linux v.5 server. Novell has
a list of SUSE Linux Enterprise Server builds affected by the
vulnerability. Debian has already released an update of its software
addressing the vulnerability.
“It’s everywhere, which is kind of the urgency we have here. This has
been in glibc for a long time. It was fixed recently, but it was not
marked as a security issue, so things that are fairly new should be
OK,” said Josh Bressers, a member of the Red Hat security response
team. “From a threat level, what it comes down to is a handful of
stuff that’s probably dangerous that uses this function.”
Unlike past Internet-wide bugs such as Bash, patching glibc may not be
the chore it was with Bash since so many components made silent Bash
calls.
“In this instance, you just apply the glibc update, and restart any
services that are vulnerable,” Bressers said. “It’s not confusing like
Shellshock was.”
Qualys, in its advisory, not only shares extremely in-depth technical
information on the vulnerability, but also includes a section
explaining exploitation of the Exim SMTP mail server. The advisory
demonstrates how to bypass NX, or No-eXecute protection as well as
glibc malloc hardening, Qualys said.
Qualys also said that in addition to the 2013 patch, other factors
mitigate the impact of the vulnerability, including the fact that the
gethostbyname functions are obsolete because of IPv6 and newer
applications using a different call, getaddrinfo(). While the flaw is
also exploitable locally, this scenario too is mitigated because many
programs rely on gethostbyname only if another preliminary call fails
and a secondary call succeeds in order to reach the overflow. The
advisory said this is “impossible” and those programs are safe.
There are mitigations against remote exploitation too, Qualys said.
Servers, for example, use gethostbyname to perform full-circle reverse
DNS checks. “These programs are generally safe because the hostname
passed to gethostbyname() has normally been pre-validated by DNS
software,” the advisory.
“It’s not looking like a huge remote problem, right now,” Bressers said.
However, while the bug may have been dormant since 2000, there is no
way to tell if criminals or government-sponsored hackers have been
exploiting this vulnerability. Nor is there any way to tell what will
happen once legitimate security researchers—and black hats—begin
looking at the vulnerability now that it’s out in the open. With Bash,
for example, it didn’t take long for additional security issues to
rise to the surface.
- See more at: https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sthash.3JH6GJTL.dpuf
--
白清杰 (Born Bai)
Mail: linuxbqj@gmail.com
Re: GHOST glibc Remote Code Execution Vulnerability Affects All Linux
Systems - See more at: https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sthash.3JH6GJTL.dpuf
Posted by "linuxbqj@gmail.com" <li...@gmail.com>.
https://security-tracker.debian.org/tracker/CVE-2015-0235
2015-01-28 18:04 GMT+08:00 linuxbqj@gmail.com <li...@gmail.com>:
> A critical vulnerability has been found in glibc, the GNU C library,
> that affects all Linux systems dating back to 2000. Attackers can use
> this flaw to execute code and remotely gain control of Linux machines.
>
> The issue stems from a heap-based buffer overflow found in the
> __nss_hostname_digits_dots() function in glibc. That particular
> function is used by the _gethostbyname function calls.
>
> Related Posts
>
> Shellshock Worm Exploiting Unpatched QNAP NAS Devices
>
> December 15, 2014 , 11:35 am
>
> Linux Modules Connected to Turla APT Discovered
>
> December 9, 2014 , 10:26 am
>
> Bash Exploit Reported, First Round of Patches Incomplete
>
> September 25, 2014 , 11:41 am
>
> “A remote attacker able to make an application call either of these
> functions could use this flaw to execute arbitrary code with the
> permissions of the user running the application,” said an advisory
> from Linux distributor Red Hat.
>
> The vulnerability, CVE-2015-0235, has already been nicknamed GHOST
> because of its relation to the _gethostbyname function. Researchers at
> Qualys discovered the flaw, and say it goes back to glibc version 2.2
> in Linux systems published in November 2000.
>
> According to Qualys, there is a mitigation for this issue that was
> published May 21, 2013 between patch glibc-2.17 versions and
> glibc-2.18.
>
> “Unfortunately, it was not recognized as a security threat; as a
> result, most stable and long-term-support distributions were left
> exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6
> & 7, CentOS 6 & 7, Ubuntu 12.04, for example,” said an advisory from
> Qualys posted to the OSS-Security mailing list.
>
> Respective Linux distributions will be releasing patches; Red Hat has
> released an update for Red Hat Enterprise Linux v.5 server. Novell has
> a list of SUSE Linux Enterprise Server builds affected by the
> vulnerability. Debian has already released an update of its software
> addressing the vulnerability.
>
> “It’s everywhere, which is kind of the urgency we have here. This has
> been in glibc for a long time. It was fixed recently, but it was not
> marked as a security issue, so things that are fairly new should be
> OK,” said Josh Bressers, a member of the Red Hat security response
> team. “From a threat level, what it comes down to is a handful of
> stuff that’s probably dangerous that uses this function.”
>
> Unlike past Internet-wide bugs such as Bash, patching glibc may not be
> the chore it was with Bash since so many components made silent Bash
> calls.
>
> “In this instance, you just apply the glibc update, and restart any
> services that are vulnerable,” Bressers said. “It’s not confusing like
> Shellshock was.”
>
> Qualys, in its advisory, not only shares extremely in-depth technical
> information on the vulnerability, but also includes a section
> explaining exploitation of the Exim SMTP mail server. The advisory
> demonstrates how to bypass NX, or No-eXecute protection as well as
> glibc malloc hardening, Qualys said.
>
> Qualys also said that in addition to the 2013 patch, other factors
> mitigate the impact of the vulnerability, including the fact that the
> gethostbyname functions are obsolete because of IPv6 and newer
> applications using a different call, getaddrinfo(). While the flaw is
> also exploitable locally, this scenario too is mitigated because many
> programs rely on gethostbyname only if another preliminary call fails
> and a secondary call succeeds in order to reach the overflow. The
> advisory said this is “impossible” and those programs are safe.
>
> There are mitigations against remote exploitation too, Qualys said.
> Servers, for example, use gethostbyname to perform full-circle reverse
> DNS checks. “These programs are generally safe because the hostname
> passed to gethostbyname() has normally been pre-validated by DNS
> software,” the advisory.
>
> “It’s not looking like a huge remote problem, right now,” Bressers said.
>
> However, while the bug may have been dormant since 2000, there is no
> way to tell if criminals or government-sponsored hackers have been
> exploiting this vulnerability. Nor is there any way to tell what will
> happen once legitimate security researchers—and black hats—begin
> looking at the vulnerability now that it’s out in the open. With Bash,
> for example, it didn’t take long for additional security issues to
> rise to the surface.
>
> - See more at: https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sthash.3JH6GJTL.dpuf
>
>
>
>
>
>
> --
> 白清杰 (Born Bai)
>
> Mail: linuxbqj@gmail.com
--
白清杰 (Born Bai)
Mail: linuxbqj@gmail.com
Re: GHOST glibc Remote Code Execution Vulnerability Affects All Linux
Systems - See more at: https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sthash.3JH6GJTL.dpuf
Posted by "linuxbqj@gmail.com" <li...@gmail.com>.
thanks Jhon
is security@cloudstack.apache.org a mail list?
how to join it?
2015-01-29 5:05 GMT+08:00 John Kinsella <jl...@stratosec.co>:
> FYI the blog post mentioned below now has links to updated SSVM templates.
>
>> On Jan 28, 2015, at 11:49 AM, John Kinsella <jl...@stratosec.co> wrote:
>>
>> Folks - just posted mitigation details at [1]. An updated SSVM template is being QAed, once released the post will be updated with links and we’ll mention here as well.
>>
>> John
>> 1: https://blogs.apache.org/cloudstack/entry/cloudstack_and_the_ghost_glibc
>>
>> On Jan 28, 2015, at 4:55 AM, Rohit Yadav <ro...@shapeblue.com>> wrote:
>>
>> Hi,
>>
>> While it's a general public news, everyone is requested and encouraged
>> to use the security mailing list in future to report anything. For more
>> details please read: http://cloudstack.apache.org/security.html
>>
>> Thanks and regards.
>>
>> On Wednesday 28 January 2015 03:34 PM, linuxbqj@gmail.com<ma...@gmail.com> wrote:
>> A critical vulnerability has been found in glibc, the GNU C library,
>> that affects all Linux systems dating back to 2000. Attackers can use
>> this flaw to execute code and remotely gain control of Linux machines.
>>
>> The issue stems from a heap-based buffer overflow found in the
>> __nss_hostname_digits_dots() function in glibc. That particular
>> function is used by the _gethostbyname function calls.
>>
>> Related Posts
>>
>> Shellshock Worm Exploiting Unpatched QNAP NAS Devices
>>
>> December 15, 2014 , 11:35 am
>>
>> Linux Modules Connected to Turla APT Discovered
>>
>> December 9, 2014 , 10:26 am
>>
>> Bash Exploit Reported, First Round of Patches Incomplete
>>
>> September 25, 2014 , 11:41 am
>>
>> “A remote attacker able to make an application call either of these
>> functions could use this flaw to execute arbitrary code with the
>> permissions of the user running the application,” said an advisory
>> from Linux distributor Red Hat.
>>
>> The vulnerability, CVE-2015-0235, has already been nicknamed GHOST
>> because of its relation to the _gethostbyname function. Researchers at
>> Qualys discovered the flaw, and say it goes back to glibc version 2.2
>> in Linux systems published in November 2000.
>>
>> According to Qualys, there is a mitigation for this issue that was
>> published May 21, 2013 between patch glibc-2.17 versions and
>> glibc-2.18.
>>
>> “Unfortunately, it was not recognized as a security threat; as a
>> result, most stable and long-term-support distributions were left
>> exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6
>> & 7, CentOS 6 & 7, Ubuntu 12.04, for example,” said an advisory from
>> Qualys posted to the OSS-Security mailing list.
>>
>> Respective Linux distributions will be releasing patches; Red Hat has
>> released an update for Red Hat Enterprise Linux v.5 server. Novell has
>> a list of SUSE Linux Enterprise Server builds affected by the
>> vulnerability. Debian has already released an update of its software
>> addressing the vulnerability.
>>
>> “It’s everywhere, which is kind of the urgency we have here. This has
>> been in glibc for a long time. It was fixed recently, but it was not
>> marked as a security issue, so things that are fairly new should be
>> OK,” said Josh Bressers, a member of the Red Hat security response
>> team. “From a threat level, what it comes down to is a handful of
>> stuff that’s probably dangerous that uses this function.”
>>
>> Unlike past Internet-wide bugs such as Bash, patching glibc may not be
>> the chore it was with Bash since so many components made silent Bash
>> calls.
>>
>> “In this instance, you just apply the glibc update, and restart any
>> services that are vulnerable,” Bressers said. “It’s not confusing like
>> Shellshock was.”
>>
>> Qualys, in its advisory, not only shares extremely in-depth technical
>> information on the vulnerability, but also includes a section
>> explaining exploitation of the Exim SMTP mail server. The advisory
>> demonstrates how to bypass NX, or No-eXecute protection as well as
>> glibc malloc hardening, Qualys said.
>>
>> Qualys also said that in addition to the 2013 patch, other factors
>> mitigate the impact of the vulnerability, including the fact that the
>> gethostbyname functions are obsolete because of IPv6 and newer
>> applications using a different call, getaddrinfo(). While the flaw is
>> also exploitable locally, this scenario too is mitigated because many
>> programs rely on gethostbyname only if another preliminary call fails
>> and a secondary call succeeds in order to reach the overflow. The
>> advisory said this is “impossible” and those programs are safe.
>>
>> There are mitigations against remote exploitation too, Qualys said.
>> Servers, for example, use gethostbyname to perform full-circle reverse
>> DNS checks. “These programs are generally safe because the hostname
>> passed to gethostbyname() has normally been pre-validated by DNS
>> software,” the advisory.
>>
>> “It’s not looking like a huge remote problem, right now,” Bressers said.
>>
>> However, while the bug may have been dormant since 2000, there is no
>> way to tell if criminals or government-sponsored hackers have been
>> exploiting this vulnerability. Nor is there any way to tell what will
>> happen once legitimate security researchers—and black hats—begin
>> looking at the vulnerability now that it’s out in the open. With Bash,
>> for example, it didn’t take long for additional security issues to
>> rise to the surface.
>>
>> - See more at: https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sthash.3JH6GJTL.dpuf
>>
>>
>>
>>
>>
>>
>>
>> --
>> Regards,
>> Rohit Yadav
>> Software Architect, ShapeBlue
>> M. +91 8826230892 | rohit.yadav@shapeblue.com<ma...@shapeblue.com>
>> Blog: bhaisaab.org<http://bhaisaab.org/> | Twitter: @_bhaisaab
>> PS. If you see any footer below, I did not add it :)
>> Find out more about ShapeBlue and our range of CloudStack related services
>>
>> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
>> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
>> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
>> CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
>> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
>> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>>
>> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
>>
>
--
白清杰 (Born Bai)
Mail: linuxbqj@gmail.com
Re: GHOST glibc Remote Code Execution Vulnerability Affects All Linux
Systems - See more at:
https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sthash.3JH6GJTL.dpuf
Posted by John Kinsella <jl...@stratosec.co>.
FYI the blog post mentioned below now has links to updated SSVM templates.
> On Jan 28, 2015, at 11:49 AM, John Kinsella <jl...@stratosec.co> wrote:
>
> Folks - just posted mitigation details at [1]. An updated SSVM template is being QAed, once released the post will be updated with links and we’ll mention here as well.
>
> John
> 1: https://blogs.apache.org/cloudstack/entry/cloudstack_and_the_ghost_glibc
>
> On Jan 28, 2015, at 4:55 AM, Rohit Yadav <ro...@shapeblue.com>> wrote:
>
> Hi,
>
> While it's a general public news, everyone is requested and encouraged
> to use the security mailing list in future to report anything. For more
> details please read: http://cloudstack.apache.org/security.html
>
> Thanks and regards.
>
> On Wednesday 28 January 2015 03:34 PM, linuxbqj@gmail.com<ma...@gmail.com> wrote:
> A critical vulnerability has been found in glibc, the GNU C library,
> that affects all Linux systems dating back to 2000. Attackers can use
> this flaw to execute code and remotely gain control of Linux machines.
>
> The issue stems from a heap-based buffer overflow found in the
> __nss_hostname_digits_dots() function in glibc. That particular
> function is used by the _gethostbyname function calls.
>
> Related Posts
>
> Shellshock Worm Exploiting Unpatched QNAP NAS Devices
>
> December 15, 2014 , 11:35 am
>
> Linux Modules Connected to Turla APT Discovered
>
> December 9, 2014 , 10:26 am
>
> Bash Exploit Reported, First Round of Patches Incomplete
>
> September 25, 2014 , 11:41 am
>
> “A remote attacker able to make an application call either of these
> functions could use this flaw to execute arbitrary code with the
> permissions of the user running the application,” said an advisory
> from Linux distributor Red Hat.
>
> The vulnerability, CVE-2015-0235, has already been nicknamed GHOST
> because of its relation to the _gethostbyname function. Researchers at
> Qualys discovered the flaw, and say it goes back to glibc version 2.2
> in Linux systems published in November 2000.
>
> According to Qualys, there is a mitigation for this issue that was
> published May 21, 2013 between patch glibc-2.17 versions and
> glibc-2.18.
>
> “Unfortunately, it was not recognized as a security threat; as a
> result, most stable and long-term-support distributions were left
> exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6
> & 7, CentOS 6 & 7, Ubuntu 12.04, for example,” said an advisory from
> Qualys posted to the OSS-Security mailing list.
>
> Respective Linux distributions will be releasing patches; Red Hat has
> released an update for Red Hat Enterprise Linux v.5 server. Novell has
> a list of SUSE Linux Enterprise Server builds affected by the
> vulnerability. Debian has already released an update of its software
> addressing the vulnerability.
>
> “It’s everywhere, which is kind of the urgency we have here. This has
> been in glibc for a long time. It was fixed recently, but it was not
> marked as a security issue, so things that are fairly new should be
> OK,” said Josh Bressers, a member of the Red Hat security response
> team. “From a threat level, what it comes down to is a handful of
> stuff that’s probably dangerous that uses this function.”
>
> Unlike past Internet-wide bugs such as Bash, patching glibc may not be
> the chore it was with Bash since so many components made silent Bash
> calls.
>
> “In this instance, you just apply the glibc update, and restart any
> services that are vulnerable,” Bressers said. “It’s not confusing like
> Shellshock was.”
>
> Qualys, in its advisory, not only shares extremely in-depth technical
> information on the vulnerability, but also includes a section
> explaining exploitation of the Exim SMTP mail server. The advisory
> demonstrates how to bypass NX, or No-eXecute protection as well as
> glibc malloc hardening, Qualys said.
>
> Qualys also said that in addition to the 2013 patch, other factors
> mitigate the impact of the vulnerability, including the fact that the
> gethostbyname functions are obsolete because of IPv6 and newer
> applications using a different call, getaddrinfo(). While the flaw is
> also exploitable locally, this scenario too is mitigated because many
> programs rely on gethostbyname only if another preliminary call fails
> and a secondary call succeeds in order to reach the overflow. The
> advisory said this is “impossible” and those programs are safe.
>
> There are mitigations against remote exploitation too, Qualys said.
> Servers, for example, use gethostbyname to perform full-circle reverse
> DNS checks. “These programs are generally safe because the hostname
> passed to gethostbyname() has normally been pre-validated by DNS
> software,” the advisory.
>
> “It’s not looking like a huge remote problem, right now,” Bressers said.
>
> However, while the bug may have been dormant since 2000, there is no
> way to tell if criminals or government-sponsored hackers have been
> exploiting this vulnerability. Nor is there any way to tell what will
> happen once legitimate security researchers—and black hats—begin
> looking at the vulnerability now that it’s out in the open. With Bash,
> for example, it didn’t take long for additional security issues to
> rise to the surface.
>
> - See more at: https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sthash.3JH6GJTL.dpuf
>
>
>
>
>
>
>
> --
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +91 8826230892 | rohit.yadav@shapeblue.com<ma...@shapeblue.com>
> Blog: bhaisaab.org<http://bhaisaab.org/> | Twitter: @_bhaisaab
> PS. If you see any footer below, I did not add it :)
> Find out more about ShapeBlue and our range of CloudStack related services
>
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
>
> This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
>
Re: GHOST glibc Remote Code Execution Vulnerability Affects All Linux
Systems - See more at:
https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sthash.3JH6GJTL.dpuf
Posted by John Kinsella <jl...@stratosec.co>.
Folks - just posted mitigation details at [1]. An updated SSVM template is being QAed, once released the post will be updated with links and we’ll mention here as well.
John
1: https://blogs.apache.org/cloudstack/entry/cloudstack_and_the_ghost_glibc
On Jan 28, 2015, at 4:55 AM, Rohit Yadav <ro...@shapeblue.com>> wrote:
Hi,
While it's a general public news, everyone is requested and encouraged
to use the security mailing list in future to report anything. For more
details please read: http://cloudstack.apache.org/security.html
Thanks and regards.
On Wednesday 28 January 2015 03:34 PM, linuxbqj@gmail.com<ma...@gmail.com> wrote:
A critical vulnerability has been found in glibc, the GNU C library,
that affects all Linux systems dating back to 2000. Attackers can use
this flaw to execute code and remotely gain control of Linux machines.
The issue stems from a heap-based buffer overflow found in the
__nss_hostname_digits_dots() function in glibc. That particular
function is used by the _gethostbyname function calls.
Related Posts
Shellshock Worm Exploiting Unpatched QNAP NAS Devices
December 15, 2014 , 11:35 am
Linux Modules Connected to Turla APT Discovered
December 9, 2014 , 10:26 am
Bash Exploit Reported, First Round of Patches Incomplete
September 25, 2014 , 11:41 am
“A remote attacker able to make an application call either of these
functions could use this flaw to execute arbitrary code with the
permissions of the user running the application,” said an advisory
from Linux distributor Red Hat.
The vulnerability, CVE-2015-0235, has already been nicknamed GHOST
because of its relation to the _gethostbyname function. Researchers at
Qualys discovered the flaw, and say it goes back to glibc version 2.2
in Linux systems published in November 2000.
According to Qualys, there is a mitigation for this issue that was
published May 21, 2013 between patch glibc-2.17 versions and
glibc-2.18.
“Unfortunately, it was not recognized as a security threat; as a
result, most stable and long-term-support distributions were left
exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6
& 7, CentOS 6 & 7, Ubuntu 12.04, for example,” said an advisory from
Qualys posted to the OSS-Security mailing list.
Respective Linux distributions will be releasing patches; Red Hat has
released an update for Red Hat Enterprise Linux v.5 server. Novell has
a list of SUSE Linux Enterprise Server builds affected by the
vulnerability. Debian has already released an update of its software
addressing the vulnerability.
“It’s everywhere, which is kind of the urgency we have here. This has
been in glibc for a long time. It was fixed recently, but it was not
marked as a security issue, so things that are fairly new should be
OK,” said Josh Bressers, a member of the Red Hat security response
team. “From a threat level, what it comes down to is a handful of
stuff that’s probably dangerous that uses this function.”
Unlike past Internet-wide bugs such as Bash, patching glibc may not be
the chore it was with Bash since so many components made silent Bash
calls.
“In this instance, you just apply the glibc update, and restart any
services that are vulnerable,” Bressers said. “It’s not confusing like
Shellshock was.”
Qualys, in its advisory, not only shares extremely in-depth technical
information on the vulnerability, but also includes a section
explaining exploitation of the Exim SMTP mail server. The advisory
demonstrates how to bypass NX, or No-eXecute protection as well as
glibc malloc hardening, Qualys said.
Qualys also said that in addition to the 2013 patch, other factors
mitigate the impact of the vulnerability, including the fact that the
gethostbyname functions are obsolete because of IPv6 and newer
applications using a different call, getaddrinfo(). While the flaw is
also exploitable locally, this scenario too is mitigated because many
programs rely on gethostbyname only if another preliminary call fails
and a secondary call succeeds in order to reach the overflow. The
advisory said this is “impossible” and those programs are safe.
There are mitigations against remote exploitation too, Qualys said.
Servers, for example, use gethostbyname to perform full-circle reverse
DNS checks. “These programs are generally safe because the hostname
passed to gethostbyname() has normally been pre-validated by DNS
software,” the advisory.
“It’s not looking like a huge remote problem, right now,” Bressers said.
However, while the bug may have been dormant since 2000, there is no
way to tell if criminals or government-sponsored hackers have been
exploiting this vulnerability. Nor is there any way to tell what will
happen once legitimate security researchers—and black hats—begin
looking at the vulnerability now that it’s out in the open. With Bash,
for example, it didn’t take long for additional security issues to
rise to the surface.
- See more at: https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sthash.3JH6GJTL.dpuf
--
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 8826230892 | rohit.yadav@shapeblue.com<ma...@shapeblue.com>
Blog: bhaisaab.org<http://bhaisaab.org/> | Twitter: @_bhaisaab
PS. If you see any footer below, I did not add it :)
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.
Re: GHOST glibc Remote Code Execution Vulnerability Affects All Linux
Systems - See more at: https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sthash.3JH6GJTL.dpuf
Posted by Rohit Yadav <ro...@shapeblue.com>.
Hi,
While it's a general public news, everyone is requested and encouraged
to use the security mailing list in future to report anything. For more
details please read: http://cloudstack.apache.org/security.html
Thanks and regards.
On Wednesday 28 January 2015 03:34 PM, linuxbqj@gmail.com wrote:
> A critical vulnerability has been found in glibc, the GNU C library,
> that affects all Linux systems dating back to 2000. Attackers can use
> this flaw to execute code and remotely gain control of Linux machines.
>
> The issue stems from a heap-based buffer overflow found in the
> __nss_hostname_digits_dots() function in glibc. That particular
> function is used by the _gethostbyname function calls.
>
> Related Posts
>
> Shellshock Worm Exploiting Unpatched QNAP NAS Devices
>
> December 15, 2014 , 11:35 am
>
> Linux Modules Connected to Turla APT Discovered
>
> December 9, 2014 , 10:26 am
>
> Bash Exploit Reported, First Round of Patches Incomplete
>
> September 25, 2014 , 11:41 am
>
> “A remote attacker able to make an application call either of these
> functions could use this flaw to execute arbitrary code with the
> permissions of the user running the application,” said an advisory
> from Linux distributor Red Hat.
>
> The vulnerability, CVE-2015-0235, has already been nicknamed GHOST
> because of its relation to the _gethostbyname function. Researchers at
> Qualys discovered the flaw, and say it goes back to glibc version 2.2
> in Linux systems published in November 2000.
>
> According to Qualys, there is a mitigation for this issue that was
> published May 21, 2013 between patch glibc-2.17 versions and
> glibc-2.18.
>
> “Unfortunately, it was not recognized as a security threat; as a
> result, most stable and long-term-support distributions were left
> exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6
> & 7, CentOS 6 & 7, Ubuntu 12.04, for example,” said an advisory from
> Qualys posted to the OSS-Security mailing list.
>
> Respective Linux distributions will be releasing patches; Red Hat has
> released an update for Red Hat Enterprise Linux v.5 server. Novell has
> a list of SUSE Linux Enterprise Server builds affected by the
> vulnerability. Debian has already released an update of its software
> addressing the vulnerability.
>
> “It’s everywhere, which is kind of the urgency we have here. This has
> been in glibc for a long time. It was fixed recently, but it was not
> marked as a security issue, so things that are fairly new should be
> OK,” said Josh Bressers, a member of the Red Hat security response
> team. “From a threat level, what it comes down to is a handful of
> stuff that’s probably dangerous that uses this function.”
>
> Unlike past Internet-wide bugs such as Bash, patching glibc may not be
> the chore it was with Bash since so many components made silent Bash
> calls.
>
> “In this instance, you just apply the glibc update, and restart any
> services that are vulnerable,” Bressers said. “It’s not confusing like
> Shellshock was.”
>
> Qualys, in its advisory, not only shares extremely in-depth technical
> information on the vulnerability, but also includes a section
> explaining exploitation of the Exim SMTP mail server. The advisory
> demonstrates how to bypass NX, or No-eXecute protection as well as
> glibc malloc hardening, Qualys said.
>
> Qualys also said that in addition to the 2013 patch, other factors
> mitigate the impact of the vulnerability, including the fact that the
> gethostbyname functions are obsolete because of IPv6 and newer
> applications using a different call, getaddrinfo(). While the flaw is
> also exploitable locally, this scenario too is mitigated because many
> programs rely on gethostbyname only if another preliminary call fails
> and a secondary call succeeds in order to reach the overflow. The
> advisory said this is “impossible” and those programs are safe.
>
> There are mitigations against remote exploitation too, Qualys said.
> Servers, for example, use gethostbyname to perform full-circle reverse
> DNS checks. “These programs are generally safe because the hostname
> passed to gethostbyname() has normally been pre-validated by DNS
> software,” the advisory.
>
> “It’s not looking like a huge remote problem, right now,” Bressers said.
>
> However, while the bug may have been dormant since 2000, there is no
> way to tell if criminals or government-sponsored hackers have been
> exploiting this vulnerability. Nor is there any way to tell what will
> happen once legitimate security researchers—and black hats—begin
> looking at the vulnerability now that it’s out in the open. With Bash,
> for example, it didn’t take long for additional security issues to
> rise to the surface.
>
> - See more at: https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sthash.3JH6GJTL.dpuf
>
>
>
>
>
>
--
Regards,
Rohit Yadav
Software Architect, ShapeBlue
M. +91 8826230892 | rohit.yadav@shapeblue.com
Blog: bhaisaab.org | Twitter: @_bhaisaab
PS. If you see any footer below, I did not add it :)
Find out more about ShapeBlue and our range of CloudStack related services
IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company registered by The Republic of South Africa and is traded under license from Shape Blue Ltd. ShapeBlue is a registered trademark.