Qualys today announced a new vulnerability, GHOST (CVE-2015-0235). The GHOST vulnerability is a buffer overflow condition that can be easily exploited locally and remotely, which makes it extremely dangerous. This vulnerability is named after the GetHOSTbyname function involved in the exploit.
This is a common threat vector; buffer overflow vulnerabilities have been in the threat landscape for years. Attackers utilize buffer overflow vulnerabilities like this one by sending specific packets of data to a vulnerable system. The attack allows the attacker to execute arbitrary code and take control of the victim’s vulnerable machine.
Unfortunately, the vulnerability exists in the GNU C Library (glibc), a code library originally released in 2000, meaning it has been widely distributed. Many derivative programs utilize the glibc to carry out common tasks. Although an update released by Linux in 2013 mitigated this vulnerability, most systems and products have not installed the patch.
How Many Systems Are Affected?
With over 100,000 Linux machines registered currently, with machine registration rates estimated at 5% or less, the number of vulnerable machines is potentially in the tens of millions.
Per Qualys, affected OS include (but is not limited to):
- Debian 7 (wheezy)
- Red Hat Enterprise Linux 6, 7
- CentOS 6, 7
- Ubuntu 12.04
What Can I do About GHOST?
One thing is for sure: buffer overflow vulnerabilities like GHOST and others like it are going to keep being discovered, and you’re going to have to respond. It’s best to factor in this unfortunate fact of life when planning your IT security strategy.
Like with any vulnerability, the best way to mitigate GHOST is to identify vulnerable systems, prioritize the remediation process based on asset criticality, and deploy patches. You should keep a current inventory of devices, operating systems, and applications in your network so that you can answer the question ‘am I vulnerable?” before some bad actor answers it for you.
This situation also highlights the need for you to keep vigilant on the latest happenings in infosec, and work with vendors who are active in the security community. Look for vendors who are committed to mitigating any vulnerabilities to help you keep up with emerging threats like this.
Bottom line: Some vendors have identified vulnerable systems and applications and released patches. But don’t take their word for it, make sure to perform regular vulnerability scans yourself to ensure your network is protected.
Update 1/28: As part of our commitment to enable our customers to be able to detect emerging threats quickly, our AlienVault Labs Threat Research Team has released new correlation rules to detect exploits targeting the GHOST vulnerability through the EXIM Internet Mailer application. The initial research on CVE-2015-0235 specifically detailed this exploit, and will likely be a core means of exploiting GHOST.
Visit our AlienVault Forums for more information on this update and all the integrated threat intelligence updates in the USM platform from AlienVault Labs: https://www.alienvault.com/forums/discussion/4485/alienvault-labs-threat-intelligence-update-ghost