https://security-tracker.debian.org/tracker/CVE-2015-0235
2015-01-28 18:04 GMT+08:00 linux...@gmail.com <linux...@gmail.com>: > A critical vulnerability has been found in glibc, the GNU C library, > that affects all Linux systems dating back to 2000. Attackers can use > this flaw to execute code and remotely gain control of Linux machines. > > The issue stems from a heap-based buffer overflow found in the > __nss_hostname_digits_dots() function in glibc. That particular > function is used by the _gethostbyname function calls. > > Related Posts > > Shellshock Worm Exploiting Unpatched QNAP NAS Devices > > December 15, 2014 , 11:35 am > > Linux Modules Connected to Turla APT Discovered > > December 9, 2014 , 10:26 am > > Bash Exploit Reported, First Round of Patches Incomplete > > September 25, 2014 , 11:41 am > > “A remote attacker able to make an application call either of these > functions could use this flaw to execute arbitrary code with the > permissions of the user running the application,” said an advisory > from Linux distributor Red Hat. > > The vulnerability, CVE-2015-0235, has already been nicknamed GHOST > because of its relation to the _gethostbyname function. Researchers at > Qualys discovered the flaw, and say it goes back to glibc version 2.2 > in Linux systems published in November 2000. > > According to Qualys, there is a mitigation for this issue that was > published May 21, 2013 between patch glibc-2.17 versions and > glibc-2.18. > > “Unfortunately, it was not recognized as a security threat; as a > result, most stable and long-term-support distributions were left > exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 > & 7, CentOS 6 & 7, Ubuntu 12.04, for example,” said an advisory from > Qualys posted to the OSS-Security mailing list. > > Respective Linux distributions will be releasing patches; Red Hat has > released an update for Red Hat Enterprise Linux v.5 server. Novell has > a list of SUSE Linux Enterprise Server builds affected by the > vulnerability. Debian has already released an update of its software > addressing the vulnerability. > > “It’s everywhere, which is kind of the urgency we have here. This has > been in glibc for a long time. It was fixed recently, but it was not > marked as a security issue, so things that are fairly new should be > OK,” said Josh Bressers, a member of the Red Hat security response > team. “From a threat level, what it comes down to is a handful of > stuff that’s probably dangerous that uses this function.” > > Unlike past Internet-wide bugs such as Bash, patching glibc may not be > the chore it was with Bash since so many components made silent Bash > calls. > > “In this instance, you just apply the glibc update, and restart any > services that are vulnerable,” Bressers said. “It’s not confusing like > Shellshock was.” > > Qualys, in its advisory, not only shares extremely in-depth technical > information on the vulnerability, but also includes a section > explaining exploitation of the Exim SMTP mail server. The advisory > demonstrates how to bypass NX, or No-eXecute protection as well as > glibc malloc hardening, Qualys said. > > Qualys also said that in addition to the 2013 patch, other factors > mitigate the impact of the vulnerability, including the fact that the > gethostbyname functions are obsolete because of IPv6 and newer > applications using a different call, getaddrinfo(). While the flaw is > also exploitable locally, this scenario too is mitigated because many > programs rely on gethostbyname only if another preliminary call fails > and a secondary call succeeds in order to reach the overflow. The > advisory said this is “impossible” and those programs are safe. > > There are mitigations against remote exploitation too, Qualys said. > Servers, for example, use gethostbyname to perform full-circle reverse > DNS checks. “These programs are generally safe because the hostname > passed to gethostbyname() has normally been pre-validated by DNS > software,” the advisory. > > “It’s not looking like a huge remote problem, right now,” Bressers said. > > However, while the bug may have been dormant since 2000, there is no > way to tell if criminals or government-sponsored hackers have been > exploiting this vulnerability. Nor is there any way to tell what will > happen once legitimate security researchers—and black hats—begin > looking at the vulnerability now that it’s out in the open. With Bash, > for example, it didn’t take long for additional security issues to > rise to the surface. > > - See more at: > https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sthash.3JH6GJTL.dpuf > > > > > > > -- > 白清杰 (Born Bai) > > Mail: linux...@gmail.com -- 白清杰 (Born Bai) Mail: linux...@gmail.com
