There are some silver linings in the wake of yesterday’s disclosure of the Ghost vulnerability in the Gnu C library, glibc, which affects all Linux systems and seemed to harken yet another Internet-wide vulnerability.
First, the 15-year-old bug isn’t the showstopper that the Shellshock vulnerability in Bash (Bourne Again Shell) or Heartbleed were. But that doesn’t mean it won’t require immediate patching. Perhaps most importantly, it seems to be fairly challenging to exploit, experts say. For now, only one major software package dependent on glibc, the Exim mail transfer agent, is in the direct line of fire. Researchers at Qualys who found the Ghost vulnerability have a proof-of-concept developed specifically for the MTA, while other experts caution that it could be a matter of time before other bugs swim to the surface.
“Some of the services most likely to be affected would be MTAs such as Exim, plus a range of web-reachable network diagnostic tools sometimes relied on by system administrators (e.g., webpages that let you run ‘ping’ or ‘traceroute’),” researcher Michal Zalewski told Threatpost. “When it comes to client applications, browsers would be probably the most likely vector—but the most popular ones are not believed to be vulnerable.”
Zalewski, a long time bug hunter, was one of the first to find additional security vulnerabilities in Bash after the emergence of Shellshock. He confirmed that a number of mitigations could stand in the way of an attacker successfully pulling off a Ghost attack.
“The exploitation depends on being able to convince a program to perform a DNS lookup of a host name provided by the attacker,” Zalewski said. “The lookup has to be done in a very particular way and must lack a couple of commonly-employed (but certainly not mandatory) sanity checks.”
Ghost is a heap-based buffer overflow found in the __nss_hostname_digits_dots() function in glibc that could enable remote code execution. That particular function is used by the _gethostbyname function calls. The vulnerability affects glibc 2.2 through 2.17, but was patched in May 2013, though the patch was not labeled a security vulnerability and as a result may not have been widely deployed.
In addition to the patch, Qualys said that the gethostbyname functions are obsolete because of IPv6 and newer applications using a different call, getaddrinfo(). While the flaw is also exploitable locally, this scenario too is mitigated because many programs rely on gethostbyname only if another preliminary call fails and a secondary call succeeds in order to reach the overflow. The advisory said this is “impossible” and those programs are safe.
There are mitigations against remote exploitation too, Qualys said. Servers, for example, use gethostbyname to perform full-circle reverse DNS checks. “These programs are generally safe because the hostname passed to gethostbyname() has normally been pre-validated by DNS software,” the advisory.
“To be clear, this is NOT the end of the Internet as we know it, nor is it another Heartbleed. In a general sense, it’s not likely to be an easy bug to exploit,” said Rapid7 CSO and Metasploit creator HD Moore. “Still, it could potentially be nasty if exploited so we strongly recommend immediate patching and rebooting. Without a reboot, services using the old library will not be restarted.”
One of the major challenges with patching Bash, for example, was that so many services made essentially covert Bash calls. It was a chore finding all of those services before deploying patches. With Ghost, patching figures to be a bit more streamlined with the quickest route to a fix being to deploy patches provided from the respective Linux distributions. Matasano Security today published an extensive list of Linux distributions running vulnerable versions of glibc.
Rapid7’s Moore cautions that sysadmins must reboot systems in order for the patch to take effect.
“This can lead to a false sense of security if the proper precautions are not followed,” he said. “Given that Linux is used in all sorts of hardware products, it may take a while for the vendors to ship patches for affected appliances and devices. The silver lining is that most low-end embedded devices use a lightweight alternative to glibc (uClibc or Bionic) and are therefore not vulnerable in the first place.”
Chris Wysopal, CTO and cofounder of application security company Veracode, said any servers compromised by Ghost exploits could be turned into bots used in DDoS attacks, or attackers can use the vulnerability to install malware that could lead to data loss.
“This is yet another example, like Heartbleed and Shellshock, of a reusable open source component that is widely used and also quite vulnerable,” Wysopal said. “In our research, we’ve found that open-source components such as glibc introduce an average of 24 known vulnerabilities into each web application. GHOST won’t be as widespread as Heartbleed and Shellshock, but it’s widespread enough that IT operations teams at many companies are now scrambling to find all instances so they can patch them ASAP.”
The good news is that like past Internet-wide bugs, Ghost may not spawn a new spree of spin-off bugs.
“Glibc plays a role in almost everything that a program can do, but in most cases, the functionality involved in interacting with untrusted parties is fairly simple and robust. The glibc DNS resolver is actually one of the few exceptions to this rule. It is a fairly complex piece of machinery, so we will probably hear about it again,” Zalewski said. “That said, I would not expect a huge spike in glibc vulnerabilities just because of this particular find.”