On 01/28/2015 09:21 AM, Norah Jones wrote:
Hi,
Can someone describe in detail about the Ghost security hole. And is there any
patch or a solution to fix it?
Thanks,
Norah Jones
The following is repeated verbatim from the PCLinuxOS Forum:
(Posted by jzakiya)
glibc vulnerbility
« on: Yesterday at 04:28:36 PM »
Quote
Articles outlines security bug in pre glibc-2.17 (pclos at glibc-2.16-7)
http://www.openwall.com/lists/oss-security/2015/01/27/9
http://arstechnica.com/security/2015/01/highly-critical-ghost-allowing-code-execution-affects-most-linux-systems/
An extremely critical vulnerability affecting most Linux distributions gives
attackers the ability to execute malicious code on servers used to deliver
e-mail, host webpages, and carry out other vital functions.
The vulnerability in the GNU C Library (glibc) represents a major Internet threat, in
some ways comparable to the Heartbleed and Shellshock bugs that came to light last year.
The bug, which is being dubbed "Ghost" by some researchers, has the common
vulnerability and exposures designation of CVE-2015-0235. While a patch was issued two
years ago, most Linux versions used in production systems remain unprotected at the
moment. What's more, patching systems requires core functions or the entire affected
server to be rebooted, a requirement that may cause some systems to remain vulnerable for
some time to come.
The buffer overflow flaw resides in __nss_hostname_digits_dots(), a glibc
function that's invoked by the gethostbyname() and gethostbyname2() function
calls. A remote attacker able to call either of these functions could exploit
the flaw to execute arbitrary code with the permissions of the user running the
application. In a blog post published Tuesday, researchers from security firm
Qualys said they were able to write proof-of-concept exploit code that carried
out a full-fledged remote code execution attack against the Exim mail server.
The exploit bypassed all existing exploit protections available on both 32-bit
and 64-bit systems, including address space layout randomization, position
independent executions, and no execute protections. Qualys has not yet
published the exploit code but eventually plans to make it available as a
Metasploit module.
“A lot of collateral damage on the Internet”
The glibc is the most common code library used by Linux. It contains standard
functions that programs written in the C and C++ languages use to carry out
common tasks. The vulnerability also affects Linux programs written in Python,
Ruby, and most other languages because they also rely on glibc. As a result,
most Linux systems should be presumed vulnerable unless they run an alternative
to glibc or use a glibc version that contains the update from two years ago.
The specter of so many systems being susceptible to an exploit with such severe
consequences is prompting concern among many security professionals. Besides
Exim, other Linux components or apps that are potentially vulnerable to Ghost
include MySQL servers, Secure Shell servers, form submission apps, and other
types of mail servers.
"If [researchers] were able to remotely exploit a pretty modern version of Exim with full
exploit mitigations, that's pretty severe," said Jon Oberheide, a Linux security expert and
the CTO of two-factor authentication service Duo Security. "There could be a lot of collateral
damage on the Internet if this exploit gets published publicly, which it looks like they plan to
do, and if other people start to write exploits for other targets."
The bug affects virtually all Linux-based software that performs domain name
resolution. As result, it most likely can be exploited not only against servers
but also client applications. Word of the vulnerability appears to have caught
developers of the Ubuntu, Debian, and Red Hat distributions of Linux off guard.
At the time this post was being prepared they appeared to be aware of the bug
but had not yet distributed a ready-made fix. People who administer Linux
systems should closely monitor official channels for information about how
specific distributions are affected and whether a patch is available. Admins
should also prepare for the inevitable reboots that will be required after
installing the patch.
Report to moderator Logged
--
users mailing list
users@lists.fedoraproject.org
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
Have a question? Ask away: http://ask.fedoraproject.org
