14 DAY TRIAL // A critical vulnerability has been found in a core library component in Linux operating system, allowing an attacker to remotely execute arbitrary code and gain full control of the affected machine.
The glitch is a buffer overflow in one function ("__nss_hostname_digits_dots()") of the glibc (GNU C) library, an implementation of the C standard library from the GNU Project, and it is essential for the Linux operating system to function.
Glitch can be triggered remotely
An attacker could exploit the flaw by sending a malicious message to an email application in order to get shell access to the machine. Among the applications identified as vulnerable, there are clockdiff, ping and arping (under certain conditions), procmail, pppd, and Exim mail server.
Vulnerability researchers at Qualys found the weakness during a code audit and noticed that it could be triggered either remotely or locally through the gethostbyname*() functions, which allowed programs access to the DNS resolver in order to turn a hostname into an IP address.
The researchers have determined that the vulnerability has been around for more than 14 years, since it affects glibc starting version 2.2, released in November 2000. A fix was included in glibc 2.17 and 2.18, available since May 21, 2013.
However, the update was not marked as a security fix and many stable and long-term-support (LTS) Linux distros did not implement it.
Some of the impacted operating systems are Debian 7 (wheezy), Red Hat Enterprise Linux 6 and 7, CentOS 6 and 7, Ubuntu 12.04. The latest version of glibc is 2.20, available since September 2014.
Patches are available for the Linux distros impacted
Given the fact that the vulnerability can be exploited via the GetHost functions, the researchers at Qualys dubbed it “GHOST.” The name is well suited since the flaw is an ancient one that should no longer exist, and yet it still haunts plenty of Linux versions currently in use.
At the moment, fixes are being distributed by Linux vendors to mitigate the risk. Users are advised to waste no time downloading and applying them.
Qualys has created an exploit for achieving remote command execution through the Exim mail server, but the actual code has not been released, as the company waits until a sufficient number of systems have been patched.
Amol Sarwate, director of the vulnerability labs at Qualys, shares details about the findings:
