A new dangerous and wide spread vulnerability has been found in the GNU C Library (glib) and has been nicknamed GHOST after the function that is affected, the real name for this is CVE-2015-0235.

The work carried out by Qualys (https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability) has found that certain functions in the library are vulnerable to a buffer overflow attack giving the attacker full remote access to the victim.

“During a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname() functions. Applications have access to the DNS resolver primarily through the gethostbyname() set of functions. These functions convert a hostname into an IP address.”

Its worth noting that these functions are not used for IPv6 and so this vulnerability only affects systems running IPv4. The library is only used on Linux as well so Windows and Mac OS are not affected.

Since glibc is used on a lot of linux systems this problem is widespread but the saving grace may be that it doesn’t affect all the software that use these libraries.

Affected Software

Some of the software the Qualys team found not to be vulnerable are:

  • Apache
  • mariadb/mysql
  • nfs-utils
  • openldap
  • openSSH
  • postfix
  • pure-ftpd
  • Samba
  • Sendmail
  • tcp_wrappers

One of the major pieces of software that is affected is Exim4 and should be patched immediately as Qualys have a working exploit which they will be releasing.

There are lots of other software that this affects but most distributions have released a fix for this so regardless if you think you’re vulnerable its best just to patch to make sure you aren’t.

If you do patch don’t forget to restart any affected software or best of all reboot the system to ensure all affected applications are restarted.

RedHat – https://access.redhat.com/security/cve/CVE-2015-0235

Debian – https://security-tracker.debian.org/tracker/CVE-2015-0235

Ubuntu – http://www.ubuntu.com/usn/usn-2485-1/