CIS CYBERSECURITY ADVISORIES
MS-ISAC ADVISORY NUMBER:
Vulnerability in GNU C Library Could Allow for Remote Code Execution (Ghost Vulnerability)
A vulnerability has been discovered in the GNU C Library (glibc) which could allow for remote code execution. This library is required in all modern distributions of Linux as it defines the system calls and other basic facilities used in the Linux kernel. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the exploited application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts could lead to a denial of service condition for the affected application.
As of the writing of this advisory, no exploit code is available. This vulnerability is known as the Ghost vulnerabilityin public sources.
- Debian 6.0
- Debian 7.0
- SuSE Linux 7.1.0
- WireX Immunix OS 7+
- Red Hat Enterprise Linux 5
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Oracle Enterprise Linux 5
- CentOS 6
- CentOS 7
- Ubuntu 10.04
- Ubuntu 12.04
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
Home users: Medium
Glibc is prone to a heap-based buffer overflow vulnerability because it fails to properly sanitize user-supplied data before copying it into the buffer. Specifically, this issue exists in the '__nss_hostname_digits_dots()' function, which is used by the 'gethostbyname()' and 'gethostbyname2()' function calls. As this vulnerability is triggered by the gethostbyname*() function calls, this vulnerability has been dubbed GHOST, for GetHOST. The first vulnerable version of glibc is glibc-2.2. This vulnerability was fixed on May 21, 2013 between the releases of glibc-2.17 and glibc-2.18, however because it was not recognized as a security threat, most stable distributions were left exposed.
An attacker can exploit this vulnerability to execute arbitrary code in the context of the affected application. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the exploited application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts could lead to a denial of service condition for the affected application.
We recommend the following actions be taken:
- Apply appropriate patches provided by the affected Linux distribution to vulnerable systems immediately after appropriate testing.
- Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.