Highly critical “Ghost” allowing code execution affects most Linux systems

Discussion in 'all things UNIX' started by lotuseclat79, Jan 27, 2015.

  1. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,089
    Highly critical “Ghost” allowing code execution affects most Linux systems.

    In the article's Comments, chrisjean mentions:

    Ubuntu 12.04 LTS: libc6 2.15-0ubuntu10.10
    Ubuntu 10.04 LTS: libc6 2.11.1-0ubuntu7.20

    The current release versions (14.04 LTS and 14.10) are not affected.

    I had to download the 12.04 package for precise from packages.ubuntu.com/precise/allpackages for the i386, i.e. libc6_2.15-0ubuntu10.10_i386.deb as it was not yet a part of any security update via the Synaptic Package Manager (perhaps I may not have done a reload in my haste to get the update), so it would be wise for any Ubuntu users out there to remember that the base website packages.ubuntu.com is where you can find all of the packages that have been released by Ubuntu updates for your particular Ubuntu release.

    -- Tom
     
  2. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    For me, that's a very reassuring list.

    Also, it's important to keep in mind that this is a server bug.

    I wonder if bittorrent apps are vulnerable.
     
  3. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,089
    P.S. Since I have a 32-bit desktop processor, the other package I needed to install was libc6-dev_2.15-0ubuntu10.10_i386.deb both of which are more easily installed by just using Synaptic Package Manager.

    -- Tom
     
  4. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    It's actually not limited to server (I admit the way AT wrote the article is misleading) and since glibc is quite popular, theoretically almost all distros can be affected.

    However, there're some mitigation factor as well described in TrendMicro's post here.

    But what scared me was, tho patch was released to a few OSes in May 2013, still there had been more than 2 year vulnerable period before that and even after the patch nobody noticed it's actually have security impact until now.

    This is, for me, another indication that an assumption Linux is inherently secure is just a myth and we have to employ strict privilege control and MAC i.e. SELinux, AppArmor, or even other LSM such as Tomoyo (I'm very aware that SELinux is by NSA).
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,024
    Yes, I see now: "The bug affects virtually all Linux-based software that performs domain name resolution. As result, it most likely can be exploited not only against servers but also client applications." Missed that :eek:

    I wonder what sorts of apps perform domain name resolution in manipulatable ways.
     
  6. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,089
  7. NGRhodes

    NGRhodes Registered Member

    Joined:
    Jun 23, 2003
    Posts:
    2,331
    Location:
    West Yorkshire, UK
    Please tell me which non-server software are vulnerable ?

    But in reality this is not true, just because * links to glibc, does not mean they are vulnerable, software also needs to implement one of the 2 DNS methods affected.
    Even though desktops COULD be vulnerable, you have to remember that remote attacks require a listening service and ports open to receive the payload and this is on top of the application handling DNS itself.
    For a locally crafted attack (malware), would still require an application to do DNS itself (via GLIBC), as mentioned above, does anyone know any that do (and why would they locally ?!?) ?
    Unless someone can provide examples of desktop applications being vulnerable, I think its safe to say this is currently only limited to a specific set of services.
    And then you have to remember the exploit would only run with the permissions of the user who started the process, so chances of being able to remotely take over an entire system from desktop are slim.

    Which software would prevent Ghost working with "strict privilege control and MAC" ?
     
    Last edited: Feb 1, 2015
  8. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    I don't know. Sth may be revealed or may not.
    Can't you see I said "theoretically"? But since nearly all apps which uses internet connection would query DNS, I think two ways would be MITMing DNS from LAN or compromise DNS server, tho it doesn't directly mean the app is vulnerable as not all app uses gethostbyname*(), and even when the app uses, not always. In not-affected list you'll see some apps which also can be used in client computer, fortunately they're not affected cuz they don't use gethostbyname*() or due to other architectural property, but other similar apps may be, or may be not.

    As far as what I've understood so far, even when app uses that vulnerable function still attack is not trivial as what attacker can write is only 4 (or 8 when OS is 64 bit) bytes. But as is always the case in security, we should assume the worst case and at least this can be used in targeted attack, possibly combined with other vuln which recently have been discovered more than past, or even unknown one.

    Even w/out takeover, damage is well possible unless that user took proper restriction. Oh, who said priv control and MAC prevents exploit? They are not for prevention, but damage control after intrusion. I think you know this but maybe simply misunderstood what I said?

    [EDIT] I made a bit of search. Here's summary:
    -Most locally accessible programs, especially SUID binary, call gethostbyname*() only when inet_aton() failed. But to cause over-flow, successful (i.e. meets the inet-aton requirement) inet_aton (which is internally called in __nss_hostname_digits_dots ) is needed. So those programs are safe.

    -Most remotely accessible programs, especially server programs, uses gethostbyname() for forward-confirmed reverse DNS query (FCrDNS: full-circle reverse DNS). Those programs are basically safe cuz usually host names going to be handed to gethostbyname are checked by DNS software before. (further details omitted as they are too much technical for me)
     
    Last edited: Feb 1, 2015
  9. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,694
    Yuki: "But what scared me was, tho patch was released to a few OSes in May 2013, still there had been more than 2 year vulnerable period before that and even after the patch nobody noticed it's actually have security impact until now."

    That should actually help you relax. Because there was no catastrophe in the past 20 months, so the bug is probably not as doomsdayish as they preach. In general, all and every security/safety related stuff is overblown. In 2000s, we were almost eradicated by Mad Cow, SARS, H1N1, Ebola, and a few others. Conficker was so deadly you were supposed to turn your computer off in 2008, Soviet ICBM did not self launch only because Y2K was properly patched. And so forth.

    Hype and fear sell hotter than hotcakes.

    Mrk
     
  10. Yuki2718

    Yuki2718 Registered Member

    Joined:
    Aug 15, 2014
    Posts:
    1,257
    Basically agree, almost always those news tend to be too sensational, but I think you know Flashback which infected 0.6 million Mac computers, that is because many people blindly trusted Apple's claim of no-infection as there had not been actual infection except limited and tricky ones.
    What shocked me a bit is, again, serious vuln have not been undiscovered long time nevertheless it's open source. I'm beginning to feel open source is actually not so secure than I've been felt it is.
     
Loading...