U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|
Advertisement

Ad Placeholder

Full Width × 90

Security

The GHOST vulnerability is a threat to critical business applications

Researchers at Veracode discovered that nearly 41% of enterprise applications using GNU C Library employ the Ghost-ridden ‘gethostbyname’ function. GNU C Library (glibc) vulnerability, named as the GHOST vulnerability, was released by Qualys Guard on 27th January 2015. Severity of this vulnerability is “CRITICAL” and listed in CVE database as CVE-2015-0235. Vulnerability is termed as […]

The GHOST vulnerability is a threat to critical business applications

Researchers at Veracode discovered that nearly 41% of enterprise applications using GNU C Library employ the Ghost-ridden ‘gethostbyname’ function.

GNU C Library (glibc) vulnerability, named as the GHOST vulnerability, was released by Qualys Guard on 27th January 2015. Severity of this vulnerability is “CRITICAL” and listed in CVE database as CVE-2015-0235. Vulnerability is termed as GHOST because it let attacker take control of the victim’s system remotely by exploiting a buffer overflow bug in glibc’s gethostbyname( ) functions.

As per Application security vendor Veracode, cloud-based scanning services find that 41% of its customers uses the GNU C library, aka glibc and found the gethostbyname function vulnerable.

Veracode rated this vulnerability as highly Critical, as 80% of applications like financial transaction applications or application that access sensitive databases uses glibc library and which could be victim of GHOST vulnerability.

It resolves hostname to IPv4 address and connects to client by creating socket. When gethostbyname( ) function failed to calculate size of data while DNS resolving and so enough memory is not allocated, hence it results buffer overflow. However, it is now replaced by getaddrinfo( ) function.

Location of library in different linux distribution are following for example for CentOS , location are /lib/libc.so.6 and for Ubuntu /usr/lib/x86-64-linuxgnu/libc.so. The systems which are vulnerable to GHOST are GNU C Library prior to glibc- 2.18, Ubuntu 12.04, Debian 7, Red hat Enterprise linux 6 & 7 , CentOS 6 & 7.

Let’s test your systems are vulnerable to GHOST.

The first step is to check which version of glibc is present in system.

To find Version of glibc in Ubuntu and Debian, you need to run command ldd –version. It shows the version of EGLIBC, a variant of glibc on Ubuntu and Debian systems. System is vulnerable to GHOST if version of EGLIBC is older than below listed versions Ubuntu 12.04 LTS – 2.15-0 ubuntu10.10 and Debian 7 LTS – 2.13-38+deb7u7. To find Version of

To find Version of glibc in CentOS and RHEL, you need to run command rpm -q glibc .System is vulnerable to GHOST if version of EGLIBC is older than below listed versions CentOS 6 – glibc-2.12-1.149.el6_6.5, CentOS 7 – glibc-2.17-55.el7_0.5, RHEL 6 – glibc-2.12-1.149.el6_6.5 and RHEL 7 – glibc-2.17-55.el7_0.5.

Ghost vulnerability new1

If you find system is vulnerable to GHOST, it should be patched as all patches has been realesed.

GHOST vulnerability can be addressed by updating the version of glibc.

For Ubuntu and Debian, run command sudo apt-get update and sudo apt-get dist-upgrade. After updating you need to reboot the system using command sudo reboot .

For Ubuntu and Debian

  • sudo apt-get update
  • sudo apt-get dist -upgrade 
  • Press “Y
  • Reboot the system using command sudo reboot 

For CentOS and RHEL, run command sudo yum update glibc .After updating you need to reboot the system using command sudo reboot or manually which ever you like more.

  • sudo yum update glibc Press “Y” Step
  • Press “Y”Reboot the system using command
  • Reboot the system using command sudo reboot

Software that initiate network connection, log processing and mail or spam filtering can be vulnerable to GHOST as it uses gethostbyname( ) function.initiate network connection, log processing and mail or spam filtering can be vulnerable to GHOST as it uses gethostbyname( ) function.

Veracode found that 72% of applications which is written in C or C++ are potentially vulnerable to GHOST, even they also found that application written in Java, .NET, and PHP are also vulnerable to GHOST.

ABOUT THE AUTHOR:
SUMIT KUMAR (MS Infosec(IIIT-A), C|EH v8, ISO 27001 LA)
MS in cyber law & Information securitysecurity

Institute – Indian Institute of Information Technology- Allahabad

Email id- sumit843302@gmail.com

(Security Affairs –  Ghost vulnerability, Linux)