CVE-2015-0235 – GHOST: glibc gethostbyname buffer overflow

On January 27th, 2015 a buffer overflow was discovered and disclosed within the __nss_hostname_digits_dots() function of the GNU C Library (glibc). This bug is reachable both locally and remotely via the gethostbyname*() functions. Like all serious vulnerabilities recently, it has been given an affectionate nickname of “GHOST“.

As many of you may already know, glibc is integral to many components of the Linux operating system, as well as a multitude of binaries, services and daemons that runs on any given server.

Despite several limitations enforced inside of the library, it was proven that arbitrary code execution can still be achieved. As a proof of concept, there exists a full-fledged remote exploit against the Exim mail server, which bypasses all existing protections (ASLR, PIE, and NX) on both 32-bit and 64-bit machines.

Security researchers identified a number of factors that mitigate the impact of this bug. In particular, they discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example. Upstream vendors are working diligently to patch the vulnerability and distribute it across all their repository mirrors.

Details on how to check if you’re vulnerable and patch your servers can be found here.