February 3, 2015
There is a new critical vulnerability affecting a key component of Linux systems that has the potential to be a widespread issue similar to “Heartbleed” or “Shellshock.”
The Linux component affected is the Linux GNU C Library (glibc). The vulnerability CVE-2015-0235, called GHOST, can allow attackers to execute code remotely on the affected system. The vulnerability affects a function within the GNU C Library (gethostbyname, hence “GHOST”) that is used to translate Internet host names into IP addresses. A variety of major Linux distributions could be exposed, including most stable and long-term-support distributions.
What does this mean?
If your systems are affected by this vulnerability, the attacker most likely will be able to compromise the affected system easily and completely, obtain any data on that system, and also use the compromised machine as a pivot point to attack other machines on the network. If the affected system is facing the Internet, it most likely will be vulnerable to attack numerous times a day. If the system is only accessible internally, it is still at risk. However, it faces a smaller population of attackers unless malicious code is developed to take advantage of this issue.
The good news is that several mitigating factors are already in place. The vulnerability was fixed on May 21, 2013, with an update to the GNU C Library (glibc version 2.18). Newer Linux distributions or those using glibc-2.18 or later are not vulnerable. Note that this patch was not categorized as a security fix – therefore, many Linux distributions were left exposed, including Debian 7, Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, and Ubuntu 12.04. Additionally, the vulnerable function “gethostbyname()” is considered obsolete and has been replaced with “getaddrinfo()”. In other words, newer programs and applications may already be protected.
Although mitigating factors exist, organizations should investigate and test their Linux systems immediately to determine if they are vulnerable. Several leading vulnerability scanners have developed a software tool update to test for this issue. If the system is vulnerable, the organization should quickly apply the patch from the vendor.
Major Linux distributors released a patch for the vulnerability on January 27, 2015. Depending on the type and version of Linux, a patch may not yet be available and alternative protections – such as restricting access to the system, taking it offline or other means – should be employed to protect the system and organization.
The current patch solutions strongly recommend that the system be rebooted to fix the issue. Thus, organizations will need to coordinate change windows to accommodate. Organizations may also want to look for signs of potential compromise on affected systems that have been facing the Internet for some time. Since the attack involves remote code execution using privileges already assigned to the system, a typical intrusion detection system would not pick up this activity as an attack.
About Protiviti’s Vulnerability and Penetration Testing Services
The sophistication of IT attacks is on the rise. The statistics are disturbing:1
- 75 percent of breaches are executed within minutes of initial internal network access.
- 92 percent of organizations are made aware of a breach via third-party notification.
- In 54 percent of cases, it takes companies more than one month to become aware of a compromise.
- 38 percent of organizations take longer than one week to respond to and mitigate a breach.
Systems are penetrated by outsiders, insiders and business partners – and the average cost of a data breach in 2013 was $200 per record compromised. Are you prepared for the next wave of security threats expected to take place this year?2
How We Can Help
The power of Protiviti’s testing lies in the skills of our experts. We pool our talent to access proven technical skills and training that’s unmatched in the industry – going beyond simply relying on robust testing tools that only skim the surface of the complicated problem. Our holistic approach scrutinizes the people, processes and technology in your organization. We partner with you to protect the confidentiality, integrity and availability of your key systems and data – while at the same time balancing the costs and limitations that security controls can impose on your organization.
Our services include:
- Infrastructure Assessment
- Application Assessment
- Network Assessment
- Database Assessment
- Security Operations and Implementation Services
1CSI Computer Crime and Security Survey 2013, 2010 Annual Study: U.S. Cost of a Data Breach. Ponemon Institute. March 2013.
2Turn cyber-attacks into counter intelligence, The 2014 Data Breach Investigations Report (DBIR).
Content Contributed by: