A highly critical vulnerability has been unearthed in the GNU C Library (glibc), a widely used component of most Linux distributions, that could allow attackers to execute malicious code on servers and remotely gain control of Linux machines.
The vulnerability, dubbed "GHOST" and assigned CVE-2015-0235, was discovered and disclosed by the security researchers from Redwood Shores, California-based security firm Qualys on Tuesday.
CRITICAL AS HEARTBLEED AND SHELLSHOCK
GHOST is considered to be critical because hackers could exploit it to silently gain complete control of a targeted Linux system without having any prior knowledge of system credentials (i.e. administrative passwords).
The flaw represents an immense Internet threat, in some ways similar to the <Heartbleed, Shellshock and Poodle bugs that came to light last year.
WHY GHOST ?
The vulnerability in the GNU C Library (glibc) is dubbed GHOST because it can be triggered by the library's gethostbyname family of functions. Glibc is a repository of open-source software written in the C and C++ coding languages that defines system calls.
The problem actual originates from a heap-based buffer overflow found in the __nss_hostname_digits_dots() function in glibc. This function is especially invoked by the _gethostbyname and gethostbyname2() function calls.
According to the researchers, a remote attacker has ability to call either of these functions which could allow them to exploit the vulnerability in an effort to execute arbitrary code with the permissions of the user running the application.
In an attempt to highlight the severity of the risk, security researchers were able to write proof-of-concept exploit code that is capable to carry out a full-fledged remote code execution attack against the Exim mail server
The researcher’s exploit able to bypass all existing exploit protections (like ASLR, PIE and NX) available on both 32-bit and 64-bit systems, including position independent executions, address space layout randomization and no execute protections.
Using the exploit, an attacker is able to craft malicious emails that could automatically compromise a vulnerable server without the email even being opened, according to Amol Sarwate, director of engineering with Qualys.
So far, the company has not published the exploit code to the public but eventually it plans to make the exploit available as a Metasploit module.
The vulnerability affects versions of glibc as far back as glibc-2.2, which was released in 2000.
In addition to Exim mail server, server software vulnerable to GHOST includes Apache, Exim, Sendmail, Nginx, MySQL, CUPS, Samba and many others, according to a later post
by Qualys researchers on the Full Disclosure mailing list.
"Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example," researchers from Qualys said in an advisory published Tuesday.
FIXES AVAILABLE FOR SOME LINUX DISTRIBUTIONS
However, major distributors of the Linux operating system, including Red Hat
, updated their software on Tuesday to thwart the serious cyber threat. In order to update systems, core functions or the entire affected server reboot is required.
Red Hat, the No. 1 provider of Linux software to businesses, recommends its customers to update their systems "as soon as possible to mitigate any potential risk."