A Ghost in the device? CVE-2015-0235

cisco-ghostOn Tuesday January 27, 2015, Qualys security researchers discovered the GHOST vulnerability (CVE-2015-0235), a serious weakness in the Linux glibc library, that allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials.

This vulnerability affects the functions gethostbyname() and gethostbyname2() functions originally used to resolve a hostname to an IP address. However, these functions have been deprecated for approximately fifteen years, largely because of their lack of support for IPv6. The superseding function is getaddrinfo() which does support IPv6 and is not affected by this buffer overflow. Programs that still utilize the deprecated gethostbyname() and gethostbyname2() functions may potentially be affected by GHOST.

Note: The GNU C Library or glibc is an implementation of the standard C library and a core part of the Linux operating system. Without this library a Linux system will not function.

For these reasons, also some web application can be exploited! For instance, PHP applications including WordPress use the gethostbyname() function wrapper, so an attacker could leverage this vector to insert a malicious URL that would trigger a buffer overflow bug, server-side, potentially allowing him to gain privileges on the server.

 

How to check if a Linux server is secure?

Method #1: GHOST.C Glibc Vulnerability Test C Program
Save the script:

/*
 * GHOST vulnerability check
 * http://www.openwall.com/lists/oss-security/2015/01/27/9
 * Usage: gcc GHOST.c -o GHOST && ./GHOST
 */ 
 
#include 
#include 
#include 
#include 
#include 

#define CANARY "in_the_coal_mine"

struct {
  char buffer[1024];
  char canary[sizeof(CANARY)];
} temp = { "buffer", CANARY };

int main(void) {
  struct hostent resbuf;
  struct hostent *result;
  int herrno;
  int retval;

  /*** strlen (name) = size_needed - sizeof (*host_addr) - sizeof (*h_addr_ptrs) - 1; ***/
  size_t len = sizeof(temp.buffer) - 16*sizeof(unsigned char) - 2*sizeof(char *) - 1;
  char name[sizeof(temp.buffer)];
  memset(name, '0', len);
  name[len] = '\0';

  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);

  if (strcmp(temp.canary, CANARY) != 0) {
    puts("vulnerable");
    exit(EXIT_SUCCESS);
  }
  if (retval == ERANGE) {
    puts("not vulnerable");
    exit(EXIT_SUCCESS);
  }
  puts("should not happen");
  exit(EXIT_FAILURE);
}

Compile it:

gcc -o GHOST GHOST.c

Test it:

./GHOST

 

Method #2: GHOST-test.sh Vulnerability Test Bash Script

Save the script “GHOST-test.sh”

#!/bin/bash
#Version 3

echo "Installed glibc version(s)"

rv=0
for glibc_nvr in $( rpm -q --qf '%{name}-%{version}-%{release}.%{arch}\n' glibc ); do
    glibc_ver=$( echo "$glibc_nvr" | awk -F- '{ print $2 }' )
    glibc_maj=$( echo "$glibc_ver" | awk -F. '{ print $1 }')
    glibc_min=$( echo "$glibc_ver" | awk -F. '{ print $2 }')
    
    echo -n "- $glibc_nvr: "
    if [ "$glibc_maj" -gt 2   -o  \
        \( "$glibc_maj" -eq 2  -a  "$glibc_min" -ge 18 \) ]; then
        # fixed upstream version
        echo 'not vulnerable'
    else
        # all RHEL updates include CVE in rpm %changelog
        if rpm -q --changelog "$glibc_nvr" | grep -q 'CVE-2015-0235'; then
            echo "not vulnerable"
        else
            echo "vulnerable"
            rv=1
        fi
    fi
done

if [ $rv -ne 0 ]; then
    cat <
Please refer to <https://access.redhat.com/articles/1332213> for remediation steps
EOF
fi

exit $rv

Run script as follows:

bash GHOST-test.sh

 

Method #3: Vulnerability Test PHP Script

Run script as follows:

php -r '$e="0″;for($i=0;$i<2500;$i++){$e="0$e";} gethostbyname($e);' vulnerable

 

Obviously, if one of these script returns ‘vulnerable’, you are vulnerable!

According to Qualys, there is a mitigation for this issue that was published May 21, 2013 between patch glibc-2.17 versions and glibc-2.18.

“Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example,” said an advisory from Qualys posted to the OSS-Security mailing list.

 

And what about Cisco devices?

Actually, few Cisco devices suffer the Ghost vulnerability, but the list can change:

  • Endpoint Clients and Client Software
    Cisco Jabber Guest 10.0(2) [CSCus69789]
  • Network and Content Security Devices
    Identity Services Engine (ISE) [CSCus68798]
  • Network Management and Provisioning
    Cisco Prime Infrastructure 2.2 [CSCus69495]
    Cisco Prime Optical for SPs [CSCus69483]
  • Routing and Switching – Enterprise and Service Provider
    Cisco Connected Grid Routers (CGR) [CSCus69450]
  • Voice and Unified Communications Devices
    Cisco Unified Communications Manager (UCM) 10.0 [CSCus66650]
    Cisco Unified Communications Manager Session Management Edition (SME) [CSCus66650]
    Cisco Unified Sip Proxy [CSCus69387]
  • Video, Streaming, TelePresence, and Transcoding Devices
    Cisco DCM Series 9900-Digital Content Manager [CSCus69463]
    Cisco Edge 300 Digital Media Player [CSCus69651]
    Cisco Edge 340 Digital Media Player [CSCus69652]
    Cisco Expressway Series [CSCus69558]
    Cisco TelePresence Conductor [CSCus69523]
    Cisco TelePresence Video Communication Server (VCS) [CSCus69558]
  • Cisco Hosted Services
    Cisco SLIM [CSCus69434]

Remember: The Network Security protection of IPS and NGFW have rules to detect malicious network activity by threat actors attempting to exploit known vulnerable applications.

 

References:

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.