ICS/Lotus (mostly), Linux, Travel, Skiing, Mixology, and Random Musing of Interest

Bill Malchisky


    Find me here…

  • Skype
  • Bleedyellow via Sametime
  • How To Kill a GHOST: The Next Vulnerability

    Bill Malchisky  April 10 2015 12:10:00 AM
    The first big vulnerability for 2015 launched during IBM ConnectED. With conference and presentation prep the past several weeks, I checked Planet Lotus to see if GHOST was previously covered. Not seeing any posts, I wanted to write about it now.

    In my opinion, this vulnerability gained less traction than POODLE and Shellshock due to the limited scope. GHOST (CVE-2015-0235) impacts the glibc gethostbyname() and gethostbyname2() calls. Applications using DNS resolution are primarily impacted, but any application utilizing glibc is a potential issue. As most non-hosting companies do not offer public DNS servers, the crisis is somewhat muted especially as the risk becomes internal only. However, the issue's importance became escalated on several sites in my opinion, due to the ease of which one can exploit the vulnerability--which I will intentionally leave undisclosed in this post.

    It is important to note that IBM Domino is NOT affected by GHOST.

    Additional Reading

    Common Vulnerabilities and Exposures' official write-up on CVE-2015-0235, including scores of references links
    National Vulnerability Database's summary via the NIST is here, revised 6 April 2015
    ZDNet's GHOST article

    Checking The Vulnerability

    Using the Red Hat Access Lab glibc (GHOST) Detector, one can quickly and easily ascertain the risk. This detector provides a small shell script which you run locally. Just change the permission to add executable access, then run the script. The results will tell you if you are vulnerable or not.
    Note: this tool only works for RHEL, CentOS and RHEL based systems

    Other options include, the Cyberciti post, and using OpenWall's C script


    To address this vulnerability, you just need to update the glibc version. If you have a fully patched system, this is trivial. If you have lagged on upgrades over a period of time, you might have several dependencies needing resolution. Each major distro has a page on this issue, with a suggested fix for their build.

    Red Hat -- they offer a fix for RHEL4 - RHEL7, with a caveat for RHEL4. They also suggest performing init 6, but recognize that is always less than convenient, so they provide a temporary method of restarting public facing processes in-scope. The full process list running glibc using the older glibc version, viewed through this command:

    lsof +c0 -d DEL | awk 'NR==1 || /libc-/ {print $2,$1,$4,$NF}' | column -t

    SUSE -- Issue announcement , their bugzilla report and resolution page
    Canonical's Ubuntu -- Security Notice USN-2485-1, their CVE-2015-0235 reference sheet, and Wiki reference sheet
    Debian Linux -- DSA-3142-1, addresses their eglibc, which is their version of glibc
    Oracle Linux
    Cyberciti.biz -- general testing and fixing for Linux distros with several included flavors

    Product Specific -- Red Hat's rhev-hypervisor6 security update

    IBM Specific Product Technotes

    Technote 1696618 covers their Security Proventia Network Enterprise Scanner product and lists a product fix
    Technote 1696526 covers their Security Virtual Server Protection for VMware with includes fixes
    Technote 1695835 covers their Security Access Manager for Enterprise SSO Virtual Appliance
    Technote 1696243 covers their WebSphere Transformation Extender with Launcher Hypervisor [for RHEL]
    Technote 1696602 covers their PureApplication System
    Technote 1696600 covers their Workload Deployer
    Technote 1695860 covers their QRadar SIEM, QRadar Risk Manager, and QRadar Vulnerability Manager products
    Technote 1696546 covers their Tivoli Access Manager for e-business
    Technote 1697649 covers Domino not being in-scope

    IBM's Product Security Incident Response site lists all of the IBM GHOST related Technotes
    No Comments Found

    Powered by IBM Lotus Domino 8 | Lotus User Group | Get Firefox! | This blog is listed on Planet Lotus   IBM Certified

    © 2010 William Malchisky.