Linux server users are scrambling to plug a hole in the GNU C Library that a vendor says allows attackers to remotely take control of an entire system without having any prior knowledge of system credentials.
Qualys Inc. said this week the vulnerability is known as GHOST (CVE-2015-0235) as it can be triggered by the gethostbyname functions. It affects systems built on Linux starting with glibc-2.2 released on November 10, 2000. While there was a fix released on May 21, 2013 between the releases of glibc-2.17 and glibc-2.18, it wasn’t classified as a security advisory. As a result a number of distribution weren’t fixed including: Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04.
A patch was released Tuesday, with Qualsys working with Linux distributors on the solution. However, an expert was quoted on CSO Online saying the problem could be tough for administrators to fix. Mattias Geniar, a systems engineer with the Belgian hosting provider Nucleus, said in a blog post that the libraries are used by a lot of running services. “After the update, each of these services needs to be restarted,” he wrote.
He wrote an entire server should be rebooted after it has been updated, and at minimum all public-facing services such as Web servers and mail servers should also be restarted.
Amol Sarwate, director of engineering with Qualys, told SCMagazine.com that in tests his company was able to get a shell remotely, “which may allow attackers to steal files, delete programs, install malware or simply perform any other tasks that a user with valid credentials can perform.”
“After [we] identified the buffer overflow (__nss_hostname_digits_dots() function), we went about how this issue can be exploited remotely,” Sarwate told the site. The overflow can be exploited by calling the gethostbyname*() functions. All an attacker has to do then is install a program that can call the affected functions. Qualsys researchers did it by sending a specially crafted mail to a mail server, which was then take over.