Cybersecurity - GHOST Vulnerability: Things to Know

Frank Kardasz, February 4, 2015

Introduction

The GHOST vulnerability sent rumblings through parts of the computer security community recently.  What is GHOST and why is it important?

GHOST Defined

Qualys Inc., the company that re-branded the previously-discovered vulnerability as GHOST and alerted the community to the security risk describes GHOST as follows:

“The GHOST vulnerability is a serious weakness in the Linux glibc library.  It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials (Sarwate, 2015).”

Scope of the Problem

Computers using some (not all) Linux Operating systems may be open to the GHOST vulnerability.   One source estimated that 14 million computer servers were vulnerable to the threat (Stange, S. February, 2015).  Computers running Windows or MAC operating systems are not vulnerable to GHOST.

Vulnerable Systems

According to Nixcraft (2015), the following Linux Distributions are affected:

RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x

CentOS Linux version 5.x, 6.x & 7.x

Ubuntu Linux version 10.04, 12.04 LTS

Debian Linux version 7.x

Linux Mint version 13.0

Fedora Linux version 19 or older

SUSE Linux Enterprise 11 and older (also OpenSuse Linux 11 or older versions).

SUSE Linux Enterprise Software Development Kit 11 SP3

SUSE Linux Enterprise Server 11 SP3 for VMware

SUSE Linux Enterprise Server 11 SP3

SUSE Linux Enterprise Server 11 SP2 LTSS

SUSE Linux Enterprise Server 11 SP1 LTSS

SUSE Linux Enterprise Server 10 SP4 LTSS

SUSE Linux Enterprise Desktop 11 SP3

Arch Linux glibc version <= 2.18-1

GNU C (glibc) Library

The Linux server weakness is within the Linux GNU C (glibc) Library.  The GNU C Library is an implementation of the standard C library and a core part of the Linux operating system (Sarwate, 2015).  Every Unix-like operating system needs a C library.  The C library defines the “system calls'' and other basic facilities including open, malloc, printf, and exit (GNU.org, 2015).

Buffer Overflow

The GHOST vulnerability may permit malicious hackers to gain remote access by using buffer overflow.  The buffer is a temporary storage area, usually in the Random Access Memory (RAM).  The buffer is a holding area, permitting the Central Processing Unit (CPU) to manipulate data before sending it to a device (Beal, 2015).  The space within a buffer is limited, and an attacker can sometimes overwhelm the buffer with too much data and then introduce malicious code to exploit or control the victim’s computer (Kay, 2003). 

Remote Code Execution

GHOST permits a buffer overflow and remote code execution.  A remote code execution is a situation where a computer hacker infiltrates the victims computer from afar.  In the GHOST case the researchers were able to test the vulnerability and send a specially crafted email to the vulnerable computer’s mail server thus enabling a remote shell to the victim’s machine (Sarwate, 2015).

The Fix

Patches are available from various Linux distribution sources that will fix the GHOST vulnerability.  Information about patches can be found at the Nixcraft site: http://www.cyberciti.biz/faq/cve-2015-0235-patch-ghost-on-debian-ubuntu-fedora-centos-rhel-linux/

Summary

The GHOST vulnerability is a serious weakness to many Linux servers.  Information technology specialists should immediately patch vulnerable systems and stay on constant alert for similar problems and patches.  Qualys offers an informative video about GHOST at the following link: https://www.youtube.com/watch?v=zHRRLsZtWAA

References

Beal, V. (2015). Buffer. Webopedia. Retrieved from http://www.webopedia.com/TERM/B/buffer.html

GNU.org. (September 7, 2014). The GNU C Library (glibc). Retrieved from https://www.gnu.org/software/libc/index.html

Kay, R. (July 14, 2003). Buffer Overflow. Computerworld. Retrieved from http://www.computerworld.com/article/2572130/security0/buffer-overflow.html

Nixcraft. (January 28, 2015). How To Patch and Protect Linux Server Against the Glibc GHOST Vulnerability # CVE-2015-0235. Retrieved from http://www.cyberciti.biz/faq/cve-2015-0235-patch-ghost-on-debian-ubuntu-fedora-centos-rhel-linux/

Sarwate, A. (January 27, 2015). The GHOST Vulnerability. Qualys Blog. Qualys Inc. Retrieved from https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability

Stange, S. (February 3, 2015). Seven things you need to know about the GHOST vulnerability. Security Features. Net Communities 2015. Retrieved from http://www.itproportal.com/2015/02/03/seven-things-need-know-about-ghost-vulnerability

=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

 http://kardasz.blogspot.com/2015/02/ghost-vulnerability-things-to-know.html