Understanding and Fixing the GHOST Vulnerability (CVE-2015-0235)

Introduction

It appears we have yet another sleepy crawly creepy bug lurking in the depths of our linux boxes.
Security researchers at cloud security firm Qualys found a critical vulnerability in Linux, specifically the GNU C Library, commonly known as (glibc). It seems as though all new vulnerabilities need to have catchy marketing names so this one was dubbed "GHOST" which was derived from the vulnerable glibc function name - "GetHOSTbyname()" -  allows attackers to remotely hack into vulnerable systems without any passwords or administrator credentials.

What is GHOST vulnerability?
GHOST relates to a critical flaw in the GNU C Library (glibc), a core Linux library which is used in many Linux versions and affects several implementations of the operating system. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials.
CVE-2015-0235 has been assigned to this issue.

"During a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address."

Source: Qualys

GHOST Vulnerability (CVE-2015-0235) Video

 

It seems that the the bug has existed for a little more than 14 years (the first vulnerable version of the GNU C Library affected by this is glibc-2.2, released on 10 November 2000).
Unfortunately, it was not recognised as a security threat; as a result, most stable and long-term support distributions were left exposed, including Debian 7 (wheezy), Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7, and Ubuntu 12.04.

This vulnerability has long been patched. The underlying problem was first introduced into glibc in 2000, but was fixed by May 2013. This means that many newer Linux operating systems were never at risk.

What is the risk?

There is a remote code execution risk due to this vulnerability. An attacker who exploits this issue can gain complete control of the compromised system.

Is this a design flaw?

No. This is an implementation problem in the affected versions of the software.

Which versions of glibc are vulnerable?

If the version of glibc is older than 2.18, your system is vulnerable to GHOST and should be updated. If you are using 2.18 or later, you are safe from the vulnerability.

All versions of glibc from glibc-2.2 (released 2010-11-10) until glibc-2.17 are vulnerable.  

Versions 2.18 through 2.20 (inclusive) or under 2.1.3 (inclusive) are NOT vulnerable.

Which OS platforms are being targeted or could be affected? 

The following OS platforms may be affected:

• Ubuntu Ubuntu Linux 12.04 LTS i386
• Ubuntu Ubuntu Linux 12.04 LTS amd64
• Ubuntu Ubuntu Linux 10.04 sparc
• Ubuntu Ubuntu Linux 10.04 powerpc
• Ubuntu Ubuntu Linux 10.04 i386
• Ubuntu Ubuntu Linux 10.04 ARM
• Ubuntu Ubuntu Linux 10.04 amd64
• Red Hat Enterprise Linux Desktop 5 client
• Red Hat Enterprise Linux 5 Server
• S.u.S.E. Linux 7.1 x86
• S.u.S.E. Linux 7.1 sparc
• S.u.S.E. Linux 7.1 ppc
• S.u.S.E. Linux 7.1 alpha
• S.u.S.E. Linux 7.1
• Wirex Immunix OS 7+
• Debian Linux 6.0 sparc
• Debian Linux 6.0 s/390
• Debian Linux 6.0 powerpc
• Debian Linux 6.0 mips
• Debian Linux 6.0 ia-64
• Debian Linux 6.0 ia-32
• Debian Linux 6.0 arm
• Debian Linux 6.0 amd64 

Is the vulnerability being exploited in the wild?

There are no report as such now, but Proof of Concept has produced to proove its claim by the researchers at Trustwave.

The proof-of-concept code can be used to check whether a remote web server is vulnerable to Ghost. It works by sending an XML request to the XML-RPC Pingback functionality of WordPress which includes a long URL.

The code works on patched and unpatched versions but they will respond in a different way thus allowing the researcher or administrator to determine whether the server is patched or not.

Click here to get Ruby PoC script

Qualys plans to release a metasploit module in the near future.

Is your web server is victim of GHOST vulnerability?

Monitor your logs : When attackers are attempting to exploit this vulnerability against your web servers, there will most likely be error messages (segmentation faults, etc...) that will indicate a problem.

Is the exploit available to download?

Thankfully, Qualys hasn’t released a working version of the hack yet. They’re waiting until half of all Linux servers are updated, and then are releasing it to force the hand of the remaining half.

How to fix the GHOST vulnerability?

1. Install latest version of glibc here . Current stable version of glibc is 2.21 and don't forget to reboot!
2. Disable the XML-RPC process altogether if you do not want to use it.
3. Disable the pingback feature by adding the following to your functions.php file:                            

                  add_filter( 'xmlrpc_methods', function( $methods ) {
                         unset( $methods['pingback.ping'] );
                         return $methods;
                   } );

References:

• RedHat: https://rhn.redhat.com/errata/RHSA-2015-0090.html
• Ubuntu: https://launchpad.net/ubuntu/+source/eglibc
• Debian: https://security-tracker.debian.org/tracker/CVE-2015-0235
• Oracle Enterprise Linux: https://oss.oracle.com/pipermail/el-errata/2015-January/004810.html
• CentOS: http://lists.centos.org/pipermail/centos-announce/2015-January/020906.html
• OpenSUSE: http://lists.opensuse.org/opensuse-updates/2015-01/msg00085.html
• GNU C Library: http://www.gnu.org/software/libc/
• Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
• https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
• https://www.digitalocean.com/community/tutorials/how-to-protect-your-linux-server-against-the-ghost-vulnerability