A serious and remotely exploitable vulnerability in a key component of Linux operating systems is being felt far and wide and has again raised the issue of security vulnerabilities in widely-used open source software.
The security firm Qualys issued a warning on Tuesday about the vulnerability, which was discovered in a code audit performed by the company. A buffer overflow in the a function of the GNU C Library (glibc) can be exploited locally and remotely via a set of functions known as gethostbyname(). Qualys said it was able to create a proof-of-concept remote exploit against the Exim mail server, bypassing all existing security protections on both 32-bit and 64-bit machines.
Versions of GNU C Library starting with glibc-2.2 (November 10, 2000) and glibc-2.18, which finally fixed the hole. That was released in May, 2013.
Although the vulnerability was eventually fixed, that fix was inadvertent, Qualys warned, meaning that most linux distributions were left exposed to the vulnerability. They include Debian 7, Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04.
The reach of the vulnerability is widespread, according to The SANS Institute’s Internet Storm Center (ISC). In post on the ISC web site, Johannes Ullrich noted that glibc functions are used on most Unix systems to resolve hostnames .
“Any software that at some point resolved host names is potentially vulnerable, which includes pretty much all software that uses the network in some from (clients and servers),” Ullrich wrote.
The vulnerability shares similarities with other, recent vulnerabilities in common, open source code packages, including the Heartbleed vulnerability in OpenSSL and the Shellshock vulnerability in the common Linux Bash function.
As with those vulnerabilities, the Ghost vulnerability lay hidden in legacy code written decades ago and that is widely used, but not often scrutinized.
In the case of the gethostbyname() functions that are used to exploit Ghost, newer and more robust functions exist, notes Robert Graham of Errata Security. The gethostsbyname() function dates to the late 1980s and has been “obsolete for a decade,” Graham wrote. Application developers writing for the Unix or Linux platforms should instead be using the function getaddrinfo(), a newer function that is part of the IEEE’s POSIX (Portable Operating System Interface) standards. Gethostsbyname() is not part of POSIX and is no longer considered “standard,” Graham notes.
Unix and Linux account for just a fraction of the desktop market, but are a common choice for Web servers and – increasingly – for embedded devices sold to consumers and industry.
It is unclear whether Qualys was the first organization to discover the Ghost vulnerability. However, now that the vulnerability is a matter of public record, there will be pressure on organizations that use affected versions of Linux and Unix to update to a newer version of the operating system with the fixed gethostsbyname() functions.
In the wake of the Heartbleed vulnerability, there were reports of malicious attacks that took advantage of the security hole. In August, for example, the security firm TrustedSec pinned an attack on the healthcare network Community Health Services on an exploit of the “Heartbleed” vulnerability in OpenSSL.