Do you have Linux on your systems? If so, your security team should pay attention to a security warning from Google last month about another critical vulnerability in the glibc library similar to the Ghost bug found a year ago and affects all versions of glibc since 2.9.
It has to be patched, says Koen Van Impe, warns a security analyst at the Belgian national computer security incident response team.
The first vulnerability was found in the gethostbyname() function, he writes, while the so-called Ghost 2.0, is found in the getaddrinfo() function. Both functions are related to DNS lookups, and the bugs create buffer overflows.
And while many systems ostensibly don’t do DNS queries, Van Impe notes, it isn’t hard to force a system to do one. Therefore, he argues, all systems — both client and server — that use Linux are affected.
“There are no system credentials needed to exploit these vulnerabilities,” he writes. “Potential exploitation happens via a local or remote network connection.”
It is a good practice for CISOs to ensure all systems use a specific central resolver and block all other outgoing DNS traffic that doesn’t pass through it, Van Impe writes, and he gives a couple of good reasons why.
Patch management has long been a trying task for infosec teams, and it’s not going to get better. Last month, for example, I reported that Hewlett-Packard Enterprises’ latest cyber threat report found the most exploited bug in 2015 was a Windows Shell vulnerability (CVE-2010-2568) that was discovered along with a patch issued in 2010 — and patched again in early 2015.
Finally, remember this advice a consultant told me: “The vast majority of companies are approaching patching in the wrong way,” says Brand. “It’s few and far between where corporations are thinking about patching form a risk and prioritization basis, as opposed to ‘we just need to patch everything within 30 days’ and they waste all these cycles (of time) patching and testing. It’s the exception and not the norm.”