GHOST, a critical Linux security hole, is revealed

[RV_]

I read the article, and the major distros got the word last week and the patches are available.

 

Excerpt:

 

"This security hole, which impacts many older versions of Linux and some current ones, should be patched as soon as possible.

 

Researchers at cloud security company Qualys have discovered a major security hole, GHOST (CVE-2015-0235), in the Linux GNU C Library (glibc). This vulnerability enables hackers to remotely take control of systems without even knowing any system IDs or passwords.

 

To exploit this vulnerability, all an attacker needs to do is trigger a buffer overflow by using an invalid hostname argument to an application that performs a DNS resolution. This vulnerability then enables a remote attacker to execute arbitrary code with the permissions of the user running DNS. In short, once an attacker has exploited GHOST they may be capable of taking over the system.

"GHOST poses a remote code execution risk that makes it incredibly easy for an attacker to exploit a machine. For example, an attacker could send a simple email on a Linux-based system and automatically get complete access to that machine," said Wolfgang Kandek, Qualys's CTO in a statement. "Given the sheer number of systems based on glibc, we believe this is a high severity vulnerability and should be addressed immediately. The best course of action to mitigate the risk is to apply a patch from your Linux vendor."

 

Unlike some security announcements, Kandek is not crying wolf. Qualys has developed a proof-of-concept in which simply sending a specially created e-mail to a mail server enabled them to create a remote shell to the Linux machine. According to Qualys, "This bypasses all existing protections (like ASLR, PIE and NX) on both 32-bit and 64-bit systems."

 

My advice to you is to now, not later today, now, update your Linux system as soon as possible. After patching it, you should then reboot the system. I know for Linux it's rarely needed to reboot, but since gethostbyname is called on by so many core processes, such as auditd, dbus-daem, dhclient, init, master, mysqld, rsyslogd, sshd, udevd, and xinetd, you want to make absolutely sure that all your system's running programs are using the patched code."

 

The whole article is here: http://www.zdnet.com/article/critical-linux-security-hole-found/?tag=nl.e589&s_cid=e589&ttag=e589&ftag=TREc64629f

[RV_]

Who needs the patch? It is fixed - here is more to be sure.

 

The Ghost security hole perfectly illustrates the efficiency of open source

 

"A new security hole has been found (and patched) on Linux systems. Jack Wallen uses this example as yet more proof the open-source community exemplifies how patching should be done.

 

If you're reading this piece, you probably already know there's a ghost in the machine of Linux. Specifically, a critical hole in the GNU C Library (glibc). This haunting specter enables remote hackers to gain access to machines without the need for credentials of any kind.

 

That, my friends, is a nasty, looming hole.

 

Ghost, as it has been dubbed, is a buffer overflow issue that affects any system running glibc-2.2 or earlier. The official function in the GNU C Library that allows for the buffer overflow is _nss_hostname_digits_dots().

 

You can find out which version you are running from the command line. For example, on a Ubuntu (or Debian-based) system, issue the command:

dkpg -l libc6

 

On my Ubuntu 14.10 machine, I am returned:

ii libc6:amd64 2.19-10ubunt amd64 GNU C Library: Shared libraries

ii libc6:i386 2.19-10ubunt i386 GNU C Library: Shared libraries

 

For a distribution that uses the rpm package manager, that command would be:

rpm -qi libc6

 

I'm safe from this issue. If you're running 2.2 or earlier, you're not safe, and you need to upgrade as quickly as possible (to at least 2.18). Canonical has patched all LTS releases back to 10.04. A Debian fix is on the way, and both Red Hat and CentOS are working on patches. The upstream library was actually fixed at version 2.18 -- but the security flaw hadn't been recognized at that point.

 

If you find that your system is vulnerable, update IMMEDIATELY, and then reboot the machine. That's right... reboot. This flaw takes advantage of gethostbyname, which is called upon by a large number of subsystems. When you update, a reboot is the only way to make sure the patch takes effect.

Red Hat was notified of the issue and, within a week, released a fix for 5, 6, and 7. The key to that sentence is "within a week." That's a fast turn around for three releases.

 

What this nasty mess of a security hole illustrates for me is simple -- the open-source community can react very efficiently. Within moments of the flaws discovery, it was revealed which versions were safe, and patches were on the way. The second the patches are rolled into libc6, they'll be released without hesitation, and systems will once again be safe. This is how the open source community works. There's very little bureaucracy in the way of releasing major bug fixes -- it just happens and happens with an efficiency no proprietary software can match.

 

Naturally, there'll be those who point out the fact that there have been a few rather serious flaws found in Linux of late, which is very true. However, if you spend your days searching for holes, you'll find holes -- ways and means to exploit a piece of software -- regardless of the platform. They exist. In even the most secure package, at some point, someone will look at the code in a way no one else has and find a hole. No operating system is 100% safe. That lends a massive importance to the efficiency of patching holes."

 

The rest of the article is here: http://www.techrepublic.com/article/the-ghost-security-hole-perfectly-illustrates-the-efficiency-of-open-source/?tag=nl.e101&s_cid=e101&ttag=e101&ftag=TRE684d531