Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
GHOST is a 'buffer overflow' bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application.
Impact
The gethostbyname() function calls are used for DNS resolving, which is a very common event. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution.
Depending about the distro. For long support distro as red hat you have to fixed the bug.
For normal distro as Fedora, the bug should be already fixed.
Anyway, here more information.
You should update as soon as possible.
High vulnerability.
Maybe. But maybe not.
Quote:
Here is a list of potential targets that we investigated (they all call
gethostbyname, one way or another), but to the best of our knowledge,
the buffer overflow cannot be triggered in any of them:
That being said, we believe it would be interesting if other people
could have a look, just in case we missed something.
It looks like that this buffer-overflow in the glibc can be triggered by other external applications (which passes variables to it). But the tests were not focused to find real vulnerable applications (which can trigger it) but rather for vulnerability in general in glibc.
It doesn't mean it cannot be exploited but it's not so inevitable as it was published.
The impact of this bug is reduced significantly by the following
reasons:
- A patch already exists (since May 21, 2013), and has been applied and
tested since glibc-2.18, released on August 12, 2013:
...
- The gethostbyname*() functions are obsolete; with the advent of IPv6,
recent applications use getaddrinfo() instead.
- Many programs, especially SUID binaries reachable locally, use
gethostbyname() if, and only if, a preliminary call to inet_aton()
fails. However, a subsequent call must also succeed (the "inet-aton"
requirement) in order to reach the overflow: this is impossible, and
such programs are therefore safe.
- Most of the other programs, especially servers reachable remotely, use
gethostbyname() to perform forward-confirmed reverse DNS (FCrDNS, also
known as full-circle reverse DNS) checks. These programs are generally
safe, because the hostname passed to gethostbyname() has normally been
pre-validated by DNS software:
. "a string of labels each containing up to 63 8-bit octets, separated
by dots, and with a maximum total of 255 octets." This makes it
impossible to satisfy the "1-KB" requirement.
. Actually, glibc's DNS resolver can produce hostnames of up to
(almost) 1025 characters (in case of bit-string labels, and special
or non-printable characters). But this introduces backslashes ('\\')
and makes it impossible to satisfy the "digits-and-dots"
requirement.
@scuzbucket:~
$ ldd --version
ldd (Debian GLIBC 2.19-13) 2.19
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
While mitigating circumstances are there, as exploiting this vulnerability isn't that easy as many commonly exposed services have been tested to be not vulnerable (http://www.openwall.com/lists/oss-se.../2015/01/27/18), this does not mean that you should aim to stay with an unsupported Linux distribution release.
Since you have posted no details that could help us help you all I can say is that yours is a problem you have to solve with whomever provides it. Have them change it or ponder the alternatives. If unsure post details but do not expect anyone here to support a Linux distribution release the vendor doesn't support. Linux may be free to use but using it should not be free of responsibilities.
According to RPM query, I've glibc 2.3.4-2.25,glibc-common 2.3.4-2.25 installed in my server. But when i tried run the vulnerability check script, it returned as "gcc: command not found".
i checked the "bin" directories i couldn't find the gcc script file and any other sysmlinks. i'm curious to know whether my server is vulnerable or not. Google is not helping much!! I'm returning to linux environment after a long stint with windows.
While mitigating circumstances are there, as exploiting this vulnerability isn't that easy as many commonly exposed services have been tested to be not vulnerable (http://www.openwall.com/lists/oss-se.../2015/01/27/18), this does not mean that you should aim to stay with an unsupported Linux distribution release.
Since you have posted no details that could help us help you all I can say is that yours is a problem you have to solve with whomever provides it. Have them change it or ponder the alternatives. If unsure post details but do not expect anyone here to support a Linux distribution release the vendor doesn't support. Linux may be free to use but using it should not be free of responsibilities.
As a silver lining, this issue has given me the leverage needed to decommission and/or upgrade the effected servers. On a happier note, all of my newer Ubuntu servers were either up to date or upgraded without drama.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.