Don't Be 'fraid of No GHOST; Glibc Vulnerability

During the blog downtime, observant security practitioners probably read about a serious new vulnerabilities called GHOST, which affects all Linux-based systems to some extent. I actually covered GHOST already, in one of my Daily Security Bytes, but you may have missed it during the downtime. Let me recap the issue here.

GHOST is the name Qualys gave to a newly reported security vulnerability in the very common glibc component that ships with almost all Linux-based software and hardware. If you haven’t heard of glibc, it’s the common GNU C library which contains functions that many Linux program rely on to do common task (such as looking up IP addresses). In a routine audit, Qualys researchers found that part of the gethostbyname() function suffers from a buffer overflow flaw that attackers can use to execute code on your Linux systems.

Because many different Linux application may (or may not) use this glibc function to look up IP addresses, this flaw might get exposed through almost any network service or package. Qualys specifically designed a Proof-of-Concept (PoC) exploit against the Exim email server, which attackers can exploit just by sending email, but they warn that many other Linux packages use the vulnerable function. Some potentially affected packages include:

• apache
• cups
• dovecot
• gnupg
• isc-dhcp
• lighttpd
• mariadb/mysql
• nfs-utils
• nginx
• nodejs
• openldap
• openssh
• postfix
• proftpd
• pure-ftpd
• rsyslog
• samba
• sendmail
• sysklogd
• syslog-ng
• tcp_wrappers
• vsftpd
• xinetd
• WordPress

That said, the  size of the buffer being overwritten is very limited; at only four to eight bytes. This makes it very challenging to actually exploit this flaw in many cases. So while quite a few packages may use the vulnerable function, not all of them actually pose a real-world risk.

It turns out that this particular glibc flaw was discovered and patched over two years ago. If you have glibc 2.18 or higher, you’re not affected. However, at the time it was patched the flaw was considered a bug rather than a security vulnerability, so many Linux distributions didn’t port the glibc update to their distro.

A quick way to check the glibc version on your Linux systems is to type the following command:

ldd --version

If that reports a version lower than 2.18, you need to upgrade. If you’re interested, this blog post has a lot more good information about testing for the flaw. The good news is every major Linux distribution has since updated. If you run Linux systems (especially public servers), I recommend you get your distro’s latest updates to fix this vulnerability.

Also, keep in mind that many hardware devices (often known as the Internet of Things) are actually embedded linux systems, which may need updates as well. Not to mention, some administrators may run Linux software ports on Windows and OS X systems as well. In these cases, it’s possible you might have vulnerable versions of glibc on those non-Linux systems.

Does GHOST Affect WatchGuard Products?

You may know that many WatchGuard product are Linux-based systems, and wonder how this flaw affects them. For the most part, this flaw has little to no impact to most of our products, with a few exceptions. Here are the details:

• WatchGuard XCS appliances – Not Affected.
• WatchGuard Wireless Access Points – Not Affected.
• Dimension v1.3 and higher – Not Affected.
• Dimension v1.2 and lower – Affected, but Dimension should have already auto-updated. The version of Ubuntu shipping with Dimension v1.2 does use a vulnerable glibc package. However, Dimension auto-updates, and downloads Ubuntu’s latest patches. Since Ubuntu released a patch long ago, your Dimension server should already be patched (as long as you didn’t disable auto-updates).
• WatchGuard XTM appliances – Affected, but not likely exploitable. XTM Fireware does contain the vulnerable version of glibc. HOWEVER, you are only vulnerable to this issue if a Linux service uses the gethostbyname() funtion. For better security, and IPv6 interoperability, our engineers use the newer getaddrinfo() to resolve hostnames, which is not affected by this vulnerability. We have not found any packages using the vulnerable function, so we believe this flaw has little to no real-world impact on our XTM devices. That said, we have already patched our glibc library, and XTM owners will receive this update in the next scheduled Fireware release. If you’d like to know more about the difference between these functions, I recommend you read this post.
• WatchGuard SSL VPN appliances – Affected. Our SSL VPN appliance does use the vulnerable library, and is affected by this flaw. We have already patched the flaw internally, and are currently scheduling a release vehicle for the update. I’ll update this post when we know a solid date.

So to summarize. If you use Linux systems, be sure to patch them as soon as you can. Most WatchGuard products aren’t really impacted by this flaw, but we recommend you install firmware updates when we release them. If you want to know more about this interesting and wide-spread issue, I’ve included a few references below. — Corey Nachreiner, CISSP (@SecAdept)

GHOST Vulnerability References:

• Qualys reports glibc RCE vulnerability – Openwall
• ZDNet article on Ghost – ZDNet
• A better function for DNS resolution today – Errata Sec
• Good write-up on Ghost vulnerability – ma.ttais.be
• Ars on Ghost – Ars Technica
• Qualys shares some potentially vulnerable packages – Openwall
• Great SANS video on Ghost – SANS
• Some additional notes on Ghost – Errata Sec
• Qualys’ blog post Ghost – Qualys