top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

What is Ghost i.e security hole in the Linux?

+1 vote
302 views

Can someone describe in detail about the Ghost security hole. And is there any patch or a solution to fix it?

posted Jan 28, 2015 by anonymous

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

2 Answers

+1 vote

This was a problem fixed in glibc 2.18, so if you are using fedora i.e. F20 or above then you are safe else you need to update.

If you're running (a supported version of) a different Linux distribution with an old version, patches are likely available.

answer Jan 28, 2015 by anonymous
0 votes

Ghost is a vulnerability in glibc library

Following Articles outlines security bug in pre glibc-2.17 (pclos at glibc-2.16-7)
http://www.openwall.com/lists/oss-security/2015/01/27/9
http://arstechnica.com/security/2015/01/highly-critical-ghost-allowing-code-execution-affects-most-linux-systems/

An extremely critical vulnerability affecting most Linux distributions gives attackers the ability to execute malicious code on servers used to deliver e-mail, host webpages, and carry out other vital functions.

The vulnerability in the GNU C Library (glibc) represents a major Internet threat, in some ways comparable to the Heartbleed and Shellshock bugs that came to light last year. The bug, which is being dubbed "Ghost" by some researchers, has the common vulnerability and exposures designation of CVE-2015-0235. While a patch was issued two years ago, most Linux versions used in production systems remain unprotected at the moment. What's more, patching systems requires core functions or the entire affected server to be rebooted, a requirement that may cause some systems to remain vulnerable for some time to come.

The buffer overflow flaw resides in __nss_hostname_digits_dots(), a glibc function that's invoked by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to call either of these functions could exploit the flaw to execute arbitrary code with the permissions of the user running the application. In a blog post published Tuesday, researchers from security firm Qualys said they were able to write proof-of-concept exploit code that carried out a full-fledged remote code execution attack against the Exim mail server. The exploit bypassed all existing exploit protections available on both 32-bit and 64-bit systems, including address space layout randomization, position independent executions, and no execute protections. Qualys has not yet published the exploit code but eventually plans to make it available as a Metasploit module. [A lot of collateral damage on the Internet ]

The glibc is the most common code library used by Linux. It contains standard functions that programs written in the C and C++ languages use to carry out common tasks. The vulnerability also affects Linux programs written in Python, Ruby, and most other languages because they also rely on glibc. As a result, most Linux systems should be presumed vulnerable unless they run an alternative to glibc or use a glibc version that contains the update from two years ago. The specter of so many systems being susceptible to an exploit with such severe consequences is prompting concern among many security professionals. Besides Exim, other Linux components or apps that are potentially vulnerable to Ghost include MySQL servers, Secure Shell servers, form submission apps, and other types of mail servers.

"If [researchers] were able to remotely exploit a pretty modern version of Exim with full exploit mitigation, that's pretty severe," said Jon Oberheide, a Linux security expert and the CTO of two-factor authentication service Duo Security. "There could be a lot of collateral damage on the Internet if this exploit gets published publicly, which it looks like they plan to do, and if other people start to write exploits for other targets."

The bug affects virtually all Linux-based software that performs domain name resolution. As result, it most likely can be exploited not only against servers but also client applications. Word of the vulnerability appears to have caught developers of the Ubuntu, Debian, and Red Hat distributions of Linux off guard. At the time this post was being prepared they appeared to be aware of the bug but had not yet distributed a ready-made fix. People who administer Linux systems should closely monitor official channels for information about how specific distributions are affected and whether a patch is available. Admins should also prepare for the inevitable reboots that will be required after installing the patch.

answer Jan 28, 2015 by anonymous
Similar Questions
+8 votes

How to make of use of GNUPLOT in Linux for plotting graphs by taking input from files? Data in one file represents X-axis and other file data represents Y-axis. Can anyone help me out?

+2 votes

I have a IP configured which is not visible for another network (suppose IP: A).
I have a common machine/switch which is in between two networks, now need to set up IP forwarding such a way that the packets coming to IP: A should be forwarded to that machine correctly.

+6 votes

Is there any way to kill the process which went to uninterruptible sleep (D) state due of some reason without rebooting machine??

I observed one of the process went to D-state during performance runs. Now, not able to kill the process using pkill or kill commands? Finally, we have to reboot the Linux machine.

Can anyone helps me out for this situation?? I don't want to reboot the machine.

We can kill the Zombie (Z) process but not able to kill process which is in D-state.

+4 votes

When a process is created using vfork() child process is created and starts running in the parent process address space, until exit() or exec() is called.

What happens to the parent process, if some one kills the child process before calling the exit()/exec()?

...