Linux zero-day vulnerability - Important information for Linux servers

[TheSonic]

I received this securitybulletin minutes ago:
 

Today, a critical security vulnerability affecting many versions of Linux was released. As this can possibly lead to remote code execution, our advisory is to patch your system -NOW- and not later today, if you should find that the version of Linux you are using is vulnerable. 

The vulnerability is called GHOST and was found by Qualys security labs. It affects the function "gethostbyname" which is used by many programs to fetch the IP of a hostname. To our knowledge, at least the following Linux distributions are affected (PLEASE CHECK YOUR OS EVEN IF NOT LISTED):

• Ubuntu 10.04/12.04

• Debian 7

• CentOS 6 and 7 (potentially 5 as well)

• SLES 11

If you are unsure: You can find a script which will check your system at http://i.yt.gl/get/44ecc/pseet.zip
unzip the package, then chmod +x GHOST-vuln-check.sh -> now simply ./GHOST-vuln-check.sh and you should get information if your system is vulnerable. (We take no warranty that this script works for you, we are not liable for damage.) 

Please note: You WILL NEED to restart your system. We know that this is unusual on Linux, but the respective function is used within core components. Therefor, to ensure that your server is not at any risk, please restart your server after installing the patch.

[Joriz]

Thanks for sharing!

Running yum update or apt-get update should be enough in most cases.

For more info see: https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability

[TheSonic]

Yes, on CentOS 6.5 x64, glibc was updated this morning:

 

==================================================================================================
 Package                                    Arch                           Version                                              ==================================================================================================
Updating:                                                                                                                                                             
 glibc                                      x86_64                         2.12-1.149.el6_6.5                                   
 glibc-common                               x86_64                         2.12-1.149.el6_6.5                                   
 glibc-devel                                x86_64                         2.12-1.149.el6_6.5                                   
 glibc-headers                              x86_64                         2.12-1.149.el6_6.5                                   

 

Testscript results: not vulnerable 

[ASTRAPI]

Possible attack vectors

The gethostbyname() call is probably among the most used ones on a server. That means any kind of DNS resolve can be used to trigger the CVE. The only catch is, you need to control whatever DNS is being resolved.

That could mean;
 

• Mailservers using reverse DNS lookups on connecting IPs (DNS Blacklisting, SPF checks, ...)
• Form submits that allow user content which results in a DNS lookup, think URLs, WordPress XML-RPC pingbacks, ...
• MySQL servers doing authentication checks based on hostnames (in MySQL privileges)
• SSH servers that perform DNS lookups for authentication allow/deny rules

...
For a more in-depth look, including code examples, have a look at the Qualys mailing list entry which covers the situation more in-depth.

Any kind of DNS lookup can potentially trigger this. The only "positive" thing is that the exploit doesn't immediately escalate privileges, you're still the same user that ran the command. But there are ways of doing privilege escalation of course. And non-privileged users are still valuable assets for DDoS attacks, making server inventories

 

You can use this command to check which services use libc and restart them :

for s in $(lsof | grep libc | awk '{print $1}' | sort | uniq); do if [[ -f "/etc/init.d/$s" && "$(ps aufx | grep -v grep | grep $s)" ]]; then echo $s; service $s restart; fi; done

 

[CheersnGears]

I chmoded the script +X, but I'm still getting permission denied

 

[TheSonic]

Hm... try 

chmod 777 GHOST-vuln-check.sh 

Be sure to remove the script after executing.
 

rm GHOST-vuln-check.sh 

 

[Makoto]

Another exploit being given a cute nickname so it itself can be exploited for media exposure and monetization.

That's nice.