No! Not Casper, not that friendly GHOST!

Last year (2014) we saw a couple of big exploits that made the headlines and security teams all around the world are still picking up the pieces left by Heartbleed and ShellShock.

So where are we this year? We are not even 10% into the new year and already contenders are popping up trying to make their name. The newest vulnerability to get the brand treatment is GHOST.

A not so friendly GHOST

GHOST is a buffer overflow that affects the GNU C Library (otherwise known as glibc), specifically the __nss_hostname_digits_dots() function of glibc.

Because this function is available both remotely and locally (as gethostbyname functions generally are), it is exploitable both locally and remotely. Successful exploitation of this vulnerability allows for arbitrary code execution, resulting in unauthorised access. The full advisory can be read here and has been tagged with the corresponding CVE-2015-0235.

Who can I call? GHOSTbusters?

No working exploit has yet been disclosed. However, the technical explanation in the advisory could be sufficient to shed light on the matter and allow for a working version of the exploit to be developed.

GHOST’s impact should therefore be considered as critical and warrant early remediation.

As per the advisory, the disclosure of this vulnerability has been coordinated with several vendors in order to allow time to issue security related patches.

Vulnerable versions of glibc range between glibc-2.2 and glibc-2.17~glibc-2.18. However, many long term support and server grade distributions remain vulnerable. For example:

Debian 7 (wheezy)
Red Hat Enterprise Linux 6 & 7
CentOS 6 & 7
Ubuntu 12.04 LTS