Not logged in » Login
Jan 28 2015

Kernel Vulnerability Affects Major Linux Distributions

Researchers at the California-based security specialist Qualys, Inc. have detected a "serious weakness" in the GNU C Library (glibc) – the open-source edition of the C standard library – that renders Linux systems about as vulnerable to remote code execution as you'd expect from their Windows peers.

According to a blog post from Qualys Director of Engineering Amol Sarwate, it allows attackers to take control of victimized systems "without any prior knowledge of system credentials." The vulnerability is listed under the ID CVE-2015-0235 on NIST's Common Vulnerabilities and Exposures list as well as its National Vulnerability Database.

Sarwate explains that the Quays team has discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. The bug can be triggered both locally and remotely via all gethostbyname*() aka GHOST functions that convert hostnames into IP addresses, and therefore affects all applications that rely on these functions as DNS resolvers. Attackers bent on exploiting the vulnerability may take complete control of the compromised systems; the attack vector is comparatively simple – potential adversaries only need to send a specially crafted email to a mail server in order to gain access to a Linux machine's remote shell. According to Sarwate, this approach "bypasses" common buffer overflow and heap overflow protections such as ASLR, position-independent executables, and NX bits.

The GHOST vulnerability is particularly ugly for two main reasons. The first is that glibc is essentially a standard library delivered with any major Linux distribution. The second is that it has been around for nearly a decade and a half: Sarwate claims that the first affected version was glibc-2.2, released in November 2000. A bug fix was offered in May 2013 between the releases of glibc-2.17 and glibc-2.18; at that point, however, the developers did not deem it to be a security threat, so that numerous popular stable and long-term distros were left open to the attack. Patches are now available for Debian 6.0 and 7.0 (Squeeze and Wheezy), openSUSE 11.4 (Evergreen), Oracle's Unbreakable Linux (versions 6.0 to 6.5), Red Hat Enterprise Linux (versions 4.0 ELS through 7.0), and Ubuntu LTS releases 10.04, 12.04 and 14.04 as well as some minor releases and community projects. The full list is available from Sarwate's blog entry. Moreover, Qualys also provides a detailed vulnerability analysis and a video advisory.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now