GHOST Vulnerability…Not That Scary
Who it affects, how hackers could use it, and what you should do about it.
The recently discovered GHOST vulnerability is a bug that could potentially allow a buffer overflow in Linux systems. Sounds scary, right? In reality, all the media surrounding this vulnerability has hyped it up more than it deserves.Although GHOST (CVE-2015-0235) is categorized as a 10 on the NIST database, if you dive deeper into the vulnerability it has a very low probability and is extremely difficult to exploit.
Here are the facts
- GHOST affects the gethostbyname and gethostbyname2 functions in the Linux GNU C library (glibc)
- The vulnerability could enable attackers to remotely take control of a system through a buffer overflow
- This vulnerability has been patched since May 2013, which means new Linux systems, and any patched systems, aren’t affected
Which systems are affected?
- Debian 7 (Wheezy)
- Red Hat Enterprise Linux 5/6/7
- CentOS 6/7
- Ubuntu 12.04
- Any other systems using glibc versions from 2.2 to 2.18
Can I be compromised through GHOST?
While this is a legitimate attack, the likelihood of being compromised via GHOST is extremely small. So far, only the Exim Mail Transfer Agent has been confirmed as possibly exploitable. Even if you use Exim, the Exim gethostbyname configuration option is off by default.Let us put this in context. Out of all the vulnerability scans SecurityMetrics customers ran on their systems in 2015, only .01% detected the use of Exim. That percentage decreases exponentially when you consider that the Exim gethostbyname configuration must be turned on for the Linux system to be vulnerable, and there must be an exploitable version of the glibc library on the system.
Our recommendations
- Don’t panic
- Apply glibc patches on your systems, if needed
- If you’re worried about a breach, start watching your logs for abnormal program terminations (crash reports)