Reactions to the serious vulnerability found in Glibc

The Qualys security research team has found a critical vulnerability in the Linux GNU C Library (glibc), that allows attackers to remotely take control of an entire system without having any prior knowledge of system credentials.

Here are some of the comments Help Net Security received:

HD Moore, Chief Research Officer, Rapid7

Linux-based appliances from a variety of vendors are going to be impacted, though as with most library-level vulnerabilities, the attack surface is still largely unknown. If you use Linux-based appliances, check with your vendor to determine whether an update is available and needs to be applied.

To be clear, this is NOT the end of the Internet as we know it, nor is it another Heartbleed. In a general sense, it’s not likely to be an easy bug to exploit. One easily-exploitable case identified so far is the Exim mail server. An attacker could abuse this vulnerability to execute arbitrary commands on an unpatched server.

Still, it could potentially be nasty if exploited so we strongly recommend immediate patching and rebooting. Without a reboot, services using the old library will not be restarted.

Chris Wysopal, CTO at Veracode

This is a serious vulnerability because it is high impact when exploited and is very widespread since there are so many systems using vulnerable versions of Linux accessible from the internet. Qualys does a good job of laying out mitigating factors which do limit the number of programs effected. Its not all internet facing software on Linux. Attackers are undoubtably starting the search for Linux programs that are vulnerable because of their use of the vulnerable function in the widely used glibc library. Qualys gives the examples of the Exim mail server as vulnerable.

This is yet another example, like Heartbleed and Shellshock, of a vulnerable open source component that is heavily used leading to many programs inheriting the vulnerable code. It won’t be as widespread as those flaws but it is widespread enough that IT operations at many companies are scrambling to patch.

Gavin Millard, Technical Director EMEA at Tenable Network Security

Another major vulnerability has been found in an extremely popular open source codebase that’s widely utilized across Linux systems everywhere. This time though, the maintainers of crypto libraries can breathe a sigh of relief as it affects Glibc. Unfortunately CVE-2015-0235, or GHOST as it’s already being dubbed, has the ability to execute code without authentication through some listening services. There’s proof of concept code available to test if your systems are affected and an example exploit against Exim mail server which could be weaponized with ease.

Patches are being released for the major Linux distributions and should be applied with a priority on any vulnerable systems with services that can be reached from the Internet. As with Shellshock and Heartbleed, with so many systems possibly open to attack, the need to quickly identify and patch any vulnerable systems should be high on the agenda of any organization that wants to reduce the probability of data loss.

Vulnerable versions of Glibc will be found on pretty much every Linux server although it isn’t usually used on smaller embedded systems due to its size, which thankfully means the millions of IoT [internet of things] devices and home routers out there that have slower or non-existent patch cycles shouldn’t be affected.

Szilard Stange, Director of Product Management at OPSWAT

Vulnerabilities like this one point out some difficulties of how to handle the disclosure process. According to our investigation many distributions were not affected by this vulnerability like the latest long-term-support release of Ubuntu, many distributions have released an update to the vulnerable software about a week before the publication date and many other have released updates on the same day like Red Hat and Debian. All the updates were released as a result of the coordination of the disclosure process. We can say that all major Linux distributions had the fix released on the same day of security advisory release.

One can ask what the best procedure is to handle this type of serious issues that can provide remote exploit indirectly to well known softwares like Exim? I think the bad guys on the dark side of the Internet constantly monitor security advisories of well known Linux distributions also. So what happens if one of the distributions releases a security fix earlier than the others? In the open source world everything is open sources so are the modification of security updates. The bad guys can easily track back vulnerabilities from the patched source code and they have many software engineers on board to develop the exploit code to sell or to utilize it to attack another distributions.

What would happen if all distributions got the security release at the same time? Many system administrator have to update their system immediately to minimize the vulnerability window and as a result of coordinated security advisory release the systems could get the patch within a shorter period of time. But can they do this on all systems? Sometime not, for most of the companies threat business continuity is more critical than patching systems to close vulnerabilities. That is why layered defense is so important and that is why we can suggest that nobody should trust only in one system at least if we talk about security. Homogeneous systems are easier to manage but these systems could make the company infrastructure open in case if a core component like the Linux GNU C Library is vulnerable.

David Harley, Senior Research Fellow at ESET

It’s a buffer overflow issue in a glibc function invoked by gethostbyname() or gethostbyname(2), used for domain name resolution. It’s pretty serious in that the glibc library is heavily used by Linux developers in a range of languages, the function in question __nss_hostname_digits_dots() performs operations that are very frequently necessary for normal operation of an internet-connected system, and generic protective measures like ASLR aren’t effective.

Qualys has developed a working exploit against the Exim mail server which it plans to release as a Metasploit module, so it’s going to be widely available. (In fact, some malicious actors may find the code samples used to illustrate the bug enough to use as a basis for exploiting it.)

There are some mitigations: a surprising number of apps probably isn’t affected. And the bug was actually fixed in 2013 in glibc-2.18, but because it wasn’t seen as a security issue until now, there are many Linux distros that are using an earlier, vulnerable version. Major Linux versions are being updated already, but even though most Linux system administrators are pretty savvy and have been quick to respond, there’s been a short-term impact because update servers have been hammered by requests for the updated packages. Hopefully, this will be short-term enough to allow a majority of developers to update before there are in-the-wild exploits, though I imagine that there will be malware in due course that will attempt an exploit just in case it gets access to an unpatched system.