What drove IT admins crazy about the Bash vulnerability was that it was difficult to determine—and patch—everything that was making a Bash call. It was everywhere.
Apparently, some of that angst applies to the Ghost vulnerability in the GNU C library, known as glibc. At first, experts believed the bug, which was related to gethostbyname function calls, was confined to Linux systems, but it didn’t take long for other exploit vectors such as PHP applications, to surface.
Researchers at Veracode this week published their look at Ghost and determined that like Bash, gethostbyname is relatively everywhere. And what’s sure to compound lingering frustration over Ghost is that gethostbyname was long ago deprecated and replaced by getaddrinfo() calls in order to satisfy IPv6 compatibility.
“We were surprised by the pervasiveness of calls to these functions, which are older functions which have been deprecated for about 15 years, mainly because of their lack of support for IPv6,” said Veracode cofounder and CTO Chris Wysopal. “So this analysis shows that there’s still a lot of old software out there that’s being used in production applications.”
Veracode said that 41 percent of the enterprise applications uploaded to its platform in the past 90 days rely on glibc to make gethostbyname function calls. The company added that 80 percent of those potentially vulnerable applications are critical off-the-shelf or homegrown business apps that access databases and backend systems executing sensitive transactions.
Most of those vulnerable applications, Veracode said, were written in C or C++, but many are also Java, PHP and .NET apps.
“This implies that the vulnerability may be more widespread than might otherwise be expected,” Wysopal said. “Knowing exactly where these applications reside can help enterprises prioritize their patching efforts in globally-distributed environments.”
Ghost affects most Linux systems dating back almost 15 years, in particular glibc 2.2 through 2.17. The vulnerability was patched in May 2013, though the patch was not labeled a security vulnerability and as a result may not have been widely deployed.
Since the bug was disclosed, most Linux distributions have released patches, and experts say this is the best mitigation for Ghost. Researchers at Qualys discovered the vulnerability and posted a lengthy advisory that included proof-of-concept exploit code against the Exim SMTP mail transfer agent. In addition to Exim, clockdiff, procmail and pppd were initiallyidentified as vulnerable to Ghost exploits. Since then, researchers at Sucuri also said that PHP applications, including WordPress, were another weak spot.
Exploiting Ghost, however, remains a challenge.
“Unlike with Heartbleed, which was a protocol-level vulnerability, exploiting this vulnerability requires a specially-crafted payload that has been targeted for a specific application and hardware platform,” Wysopal said. “That means you can’t simply reuse the proof-of-concept exploit developed by Qualys (for the Exim mail server) to attack other applications. As a result, GHOST attacks are more likely to be sophisticated and targeted.”
Like other Internet-wide bugs, this one can be exploited to execute code remotely, manipulate files, install malware or turn the compromised machine into a bot to be used in DDoS attacks.
“Some researchers believe that the most likely outcome in a real-world scenario would be a segmentation fault, not code execution, but this can also result in a DoS attack,” Wysopal said.
The Ghost bug and other major vulnerabilities of the last nine months are a reminder of the frailty of open source security as well as how much insecure legacy code is running inside most enterprises.
“The most important conclusion is that our entire digital infrastructure is built on applications and components that were fundamentally not designed for the hostile cyber environment in which we find ourselves today,” said Wysopal, who added that 90 percent of the applications scanned and analyzed by Veracode’s service contain common application security vulnerabilities such as SQL injection. “Rather, they were designed with a primary focus on functionality rather than on secure programming practices.”