cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Kinsella <...@stratosec.co>
Subject Re: GHOST glibc Remote Code Execution Vulnerability Affects All Linux Systems - See more at: https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sthash.3JH6GJTL.dpuf
Date Wed, 28 Jan 2015 21:05:58 GMT
FYI the blog post mentioned below now has links to updated SSVM templates.

> On Jan 28, 2015, at 11:49 AM, John Kinsella <jlk@stratosec.co> wrote:
> 
> Folks - just posted mitigation details at [1]. An updated SSVM template is being QAed,
once released the post will be updated with links and we’ll mention here as well.
> 
> John
> 1: https://blogs.apache.org/cloudstack/entry/cloudstack_and_the_ghost_glibc
> 
> On Jan 28, 2015, at 4:55 AM, Rohit Yadav <rohit.yadav@shapeblue.com<mailto:rohit.yadav@shapeblue.com>>
wrote:
> 
> Hi,
> 
> While it's a general public news, everyone is requested and encouraged
> to use the security mailing list in future to report anything. For more
> details please read: http://cloudstack.apache.org/security.html
> 
> Thanks and regards.
> 
> On Wednesday 28 January 2015 03:34 PM, linuxbqj@gmail.com<mailto:linuxbqj@gmail.com>
wrote:
> A critical vulnerability has been found in glibc, the GNU C library,
> that affects all Linux systems dating back to 2000. Attackers can use
> this flaw to execute code and remotely gain control of Linux machines.
> 
> The issue stems from a heap-based buffer overflow found in the
> __nss_hostname_digits_dots() function in glibc. That particular
> function is used by the _gethostbyname function calls.
> 
> Related Posts
> 
> Shellshock Worm Exploiting Unpatched QNAP NAS Devices
> 
> December 15, 2014 , 11:35 am
> 
> Linux Modules Connected to Turla APT Discovered
> 
> December 9, 2014 , 10:26 am
> 
> Bash Exploit Reported, First Round of Patches Incomplete
> 
> September 25, 2014 , 11:41 am
> 
> “A remote attacker able to make an application call either of these
> functions could use this flaw to execute arbitrary code with the
> permissions of the user running the application,” said an advisory
> from Linux distributor Red Hat.
> 
> The vulnerability, CVE-2015-0235, has already been nicknamed GHOST
> because of its relation to the _gethostbyname function. Researchers at
> Qualys discovered the flaw, and say it goes back to glibc version 2.2
> in Linux systems published in November 2000.
> 
> According to Qualys, there is a mitigation for this issue that was
> published May 21, 2013 between patch glibc-2.17 versions and
> glibc-2.18.
> 
> “Unfortunately, it was not recognized as a security threat; as a
> result, most stable and long-term-support distributions were left
> exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6
> & 7, CentOS 6 & 7, Ubuntu 12.04, for example,” said an advisory from
> Qualys posted to the OSS-Security mailing list.
> 
> Respective Linux distributions will be releasing patches; Red Hat has
> released an update for Red Hat Enterprise Linux v.5 server. Novell has
> a list of SUSE Linux Enterprise Server builds affected by the
> vulnerability. Debian has already released an update of its software
> addressing the vulnerability.
> 
> “It’s everywhere, which is kind of the urgency we have here. This has
> been in glibc for a long time. It was fixed recently, but it was not
> marked as a security issue, so things that are fairly new should be
> OK,” said Josh Bressers, a member of the Red Hat security response
> team. “From a threat level, what it comes down to is a handful of
> stuff that’s probably dangerous that uses this function.”
> 
> Unlike past Internet-wide bugs such as Bash, patching glibc may not be
> the chore it was with Bash since so many components made silent Bash
> calls.
> 
> “In this instance, you just apply the glibc update, and restart any
> services that are vulnerable,” Bressers said. “It’s not confusing like
> Shellshock was.”
> 
> Qualys, in its advisory, not only shares extremely in-depth technical
> information on the vulnerability, but also includes a section
> explaining exploitation of the Exim SMTP mail server. The advisory
> demonstrates how to bypass NX, or No-eXecute protection as well as
> glibc malloc hardening, Qualys said.
> 
> Qualys also said that in addition to the 2013 patch, other factors
> mitigate the impact of the vulnerability, including the fact that the
> gethostbyname functions are obsolete because of IPv6 and newer
> applications using a different call, getaddrinfo(). While the flaw is
> also exploitable locally, this scenario too is mitigated because many
> programs rely on gethostbyname only if another preliminary call fails
> and a secondary call succeeds in order to reach the overflow. The
> advisory said this is “impossible” and those programs are safe.
> 
> There are mitigations against remote exploitation too, Qualys said.
> Servers, for example, use gethostbyname to perform full-circle reverse
> DNS checks. “These programs are generally safe because the hostname
> passed to gethostbyname() has normally been pre-validated by DNS
> software,” the advisory.
> 
> “It’s not looking like a huge remote problem, right now,” Bressers said.
> 
> However, while the bug may have been dormant since 2000, there is no
> way to tell if criminals or government-sponsored hackers have been
> exploiting this vulnerability. Nor is there any way to tell what will
> happen once legitimate security researchers—and black hats—begin
> looking at the vulnerability now that it’s out in the open. With Bash,
> for example, it didn’t take long for additional security issues to
> rise to the surface.
> 
> - See more at: https://threatpost.com/ghost-glibc-remote-code-execution-vulnerability-affects-all-linux-systems/110679#sthash.3JH6GJTL.dpuf
> 
> 
> 
> 
> 
> 
> 
> --
> Regards,
> Rohit Yadav
> Software Architect, ShapeBlue
> M. +91 8826230892 | rohit.yadav@shapeblue.com<mailto:rohit.yadav@shapeblue.com>
> Blog: bhaisaab.org<http://bhaisaab.org/> | Twitter: @_bhaisaab
> PS. If you see any footer below, I did not add it :)
> Find out more about ShapeBlue and our range of CloudStack related services
> 
> IaaS Cloud Design & Build<http://shapeblue.com/iaas-cloud-design-and-build//>
> CSForge – rapid IaaS deployment framework<http://shapeblue.com/csforge/>
> CloudStack Consulting<http://shapeblue.com/cloudstack-consultancy/>
> CloudStack Software Engineering<http://shapeblue.com/cloudstack-software-engineering/>
> CloudStack Infrastructure Support<http://shapeblue.com/cloudstack-infrastructure-support/>
> CloudStack Bootcamp Training Courses<http://shapeblue.com/cloudstack-training/>
> 
> This email and any attachments to it may be confidential and are intended solely for
the use of the individual to whom it is addressed. Any views or opinions expressed are solely
those of the author and do not necessarily represent those of Shape Blue Ltd or related companies.
If you are not the intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender if you believe
you have received this email in error. Shape Blue Ltd is a company incorporated in England
& Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated
in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue SA Pty Ltd is a company
registered by The Republic of South Africa and is traded under license from Shape Blue Ltd.
ShapeBlue is a registered trademark.
> 

Mime
View raw message