TheSonic Posted January 28, 2015 Posted January 28, 2015 I received this securitybulletin minutes ago: Today, a critical security vulnerability affecting many versions of Linux was released. As this can possibly lead to remote code execution, our advisory is to patch your system -NOW- and not later today, if you should find that the version of Linux you are using is vulnerable. The vulnerability is called GHOST and was found by Qualys security labs. It affects the function "gethostbyname" which is used by many programs to fetch the IP of a hostname. To our knowledge, at least the following Linux distributions are affected (PLEASE CHECK YOUR OS EVEN IF NOT LISTED):Ubuntu 10.04/12.04Debian 7CentOS 6 and 7 (potentially 5 as well)SLES 11If you are unsure: You can find a script which will check your system at http://i.yt.gl/get/44ecc/pseet.zipunzip the package, then chmod +x GHOST-vuln-check.sh -> now simply ./GHOST-vuln-check.sh and you should get information if your system is vulnerable. (We take no warranty that this script works for you, we are not liable for damage.) Please note: You WILL NEED to restart your system. We know that this is unusual on Linux, but the respective function is used within core components. Therefor, to ensure that your server is not at any risk, please restart your server after installing the patch.
Joriz Posted January 28, 2015 Posted January 28, 2015 Thanks for sharing!Running yum update or apt-get update should be enough in most cases.For more info see: https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
TheSonic Posted January 28, 2015 Author Posted January 28, 2015 Yes, on CentOS 6.5 x64, glibc was updated this morning: ================================================================================================== Package Arch Version ================================================================================================== Updating: glibc x86_64 2.12-1.149.el6_6.5 glibc-common x86_64 2.12-1.149.el6_6.5 glibc-devel x86_64 2.12-1.149.el6_6.5 glibc-headers x86_64 2.12-1.149.el6_6.5 Testscript results: not vulnerable
ASTRAPI Posted January 28, 2015 Posted January 28, 2015 Possible attack vectorsThe gethostbyname() call is probably among the most used ones on a server. That means any kind of DNS resolve can be used to trigger the CVE. The only catch is, you need to control whatever DNS is being resolved.That could mean; Mailservers using reverse DNS lookups on connecting IPs (DNS Blacklisting, SPF checks, ...)Form submits that allow user content which results in a DNS lookup, think URLs, WordPress XML-RPC pingbacks, ...MySQL servers doing authentication checks based on hostnames (in MySQL privileges)SSH servers that perform DNS lookups for authentication allow/deny rules...For a more in-depth look, including code examples, have a look at the Qualys mailing list entry which covers the situation more in-depth.Any kind of DNS lookup can potentially trigger this. The only "positive" thing is that the exploit doesn't immediately escalate privileges, you're still the same user that ran the command. But there are ways of doing privilege escalation of course. And non-privileged users are still valuable assets for DDoS attacks, making server inventories You can use this command to check which services use libc and restart them :for s in $(lsof | grep libc | awk '{print $1}' | sort | uniq); do if [[ -f "/etc/init.d/$s" && "$(ps aufx | grep -v grep | grep $s)" ]]; then echo $s; service $s restart; fi; done
CheersnGears Posted January 28, 2015 Posted January 28, 2015 I chmoded the script +X, but I'm still getting permission denied
TheSonic Posted January 28, 2015 Author Posted January 28, 2015 Hm... try chmod 777 GHOST-vuln-check.sh Be sure to remove the script after executing. rm GHOST-vuln-check.sh
Makoto Posted January 28, 2015 Posted January 28, 2015 Another exploit being given a cute nickname so it itself can be exploited for media exposure and monetization.That's nice.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.