The Qualys security research team has found a critical vulnerability in the Linux GNU C Library (glibc), that allows attackers to remotely take control of an entire system without having any prior knowledge of system credentials.
Qualys has worked closely with Linux distribution vendors in a coordinated effort to offer a patch for all distributions of Linux systems impacted, which is available today from the corresponding vendors.
The vulnerability known as GHOST (CVE-2015-0235) as it can be triggered by the gethostbyname functions, impacts many systems built on Linux starting with glibc-2.2 released on November 10, 2000.
Researchers also identified a number of factors that mitigate the impact of this bug including a fix released on May 21, 2013 between the releases of glibc-2.17 and glibc-2.18. Unfortunately, this fix was not classified as a security advisory, and as a result, most stable and long-term-support distributions were left exposed including: Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7 and Ubuntu 12.04.
“GHOST poses a remote code execution risk that makes it incredibly easy for an attacker to exploit a machine. For example, an attacker could send a simple email on a Linux-based system and automatically get complete access to that machine,” said Wolfgang Kandek, CTO for Qualys, Inc. “Given the sheer number of systems based on glibc, we believe this is a high severity vulnerability and should be addressed immediately. The best course of action to mitigate the risk is to apply a patch from your Linux vendor.”
Here’s Amol Sarwate, Director of Vulnerability Labs, Qualys, discussing the GHOST vulnerability: