Ghostbusting in the 'critically' vulnerable Linux machine

News by Adrian Bridgwater

Whose afraid of GHOSTs? Disagreement over potential risks of new Linux vulnerability, but layered defence is recommended.

Security vendor Qualys has exposed and defined a new critical Linux vulnerability in the Linux GNU C Library (versions 2.2 and newer) that is capable of instigating remote code execution in some cases. The threat could lead to malicious control over user devices and system installations that date back to year 2000.

Known formally as CVE-2015-0235, the threat is more jauntily named GHOST because it can be triggered by the "_gethostbyname" function, a networked computing control used by a vast number of machines.

Qualys CTO Wolfgang Kandek has said that the flaw could allow attackers to gain remote control of a system without having any prior knowledge of system credentials. An attacker could send a simple email on a Linux-based system to trigger a buffer overflow and automatically get complete access to that machine.

Danger disclosure dilemma

Szilard Stange, director at software management toolkit and malware scanning company Opswat, asserts that vulnerabilities like this bring into question exactly how we as an industry handle the wider disclosure process. This is because, according to Opswat investigation, many distributions were not affected by this vulnerability like the latest long-term-support release of Ubuntu.

“Many distributions [had] released an update to the vulnerable software about a week before the publication date and many others have released updates on the same day, like Red Hat and Debian. All the updates were released as a result of the coordination of the disclosure process. We can say that all major Linux distributions had the fix released on the same day of security advisory release,” Strange told

“The bad guys can easily track back vulnerabilities from the patched source code and they have many software engineers on board to develop the exploit code to sell or to utilise it to attack another distributions. On the other hand, what would happen if all distributions got the security release at the same time? This is why layered defence is so important and that is why we suggest that nobody should trust only in one system. Homogeneous systems are easier to manage but these systems could make the company infrastructure open if a core component like the Linux GNU C Library is vulnerable," he added.

There is clearly some dissent here as to the risks posed by GHOST. One camp is talking up the risk of remotely installed cyber-espionage-aligned malware to create botnet zombies -- while the other says that this is not the end of the internet as we know it, nor is it another Heartbleed.

Deep inside library-level vulnerabilities

In a general sense, it's not likely to be an easy bug to exploit says HD Moore, chief research officer and celebrated penetration testing guru at Rapid7.

Linux-based appliances from a variety of vendors are going to be impacted, though as with most library-level vulnerabilities, the attack surface is still largely unknown. If you use Linux-based appliances, check with your vendor to determine whether an update is available and needs to be applied,” he said in a statement to the press. 

“One easily-exploitable case identified so far is the Exim mail server. An attacker could abuse this vulnerability to execute arbitrary commands on an unpatched server,” Moore continued.

Dissent over the severity of this threat notwithstanding, all parties strongly recommend a layered approach to system security as well as immediate patching and rebooting so that services using the old library will be restarted.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews