soulshepard
Verified User
- Joined
- Feb 7, 2008
- Messages
- 134
It appears we have yet another sleepy crawly creepy bug lurking in the depths of our linux boxes..
A Gblic bug that was not identified as a security bug, perhaps a true y2k bug is effecting us now..
Possible exim.. and more.. in any case a remote execution possibility for many systems...
I guess it is time to emergency patch all the server again as soon as the patches come available.
As i read all distros are releasing / building patches for it.
source: http://www.openwall.com/lists/oss-security/2015/01/27/9
source: http://www.zdnet.com/article/critical-linux-security-hole-found/
Other sources :
https://threatpost.com/ghost-glibc-...ulnerability-affects-all-linux-systems/110679
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
A Gblic bug that was not identified as a security bug, perhaps a true y2k bug is effecting us now..
Possible exim.. and more.. in any case a remote execution possibility for many systems...
I guess it is time to emergency patch all the server again as soon as the patches come available.
As i read all distros are releasing / building patches for it.
source: http://www.openwall.com/lists/oss-security/2015/01/27/9
source: http://www.zdnet.com/article/critical-linux-security-hole-found/
--[ 1 - Summary ]------------------------------------------------------------- During a code audit performed internally at Qualys, we discovered a buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library (glibc). This bug is reachable both locally and remotely via the gethostbyname*() functions, so we decided to analyze it -- and its impact -- thoroughly, and named this vulnerability "GHOST". Our main conclusions are: - Via gethostbyname() or gethostbyname2(), the overflowed buffer is located in the heap. Via gethostbyname_r() or gethostbyname2_r(), the overflowed buffer is caller-supplied (and may therefore be located in the heap, stack, .data, .bss, etc; however, we have seen no such call in practice). - At most sizeof(char *) bytes can be overwritten (ie, 4 bytes on 32-bit machines, and 8 bytes on 64-bit machines). Bytes can be overwritten only with digits ('0'...'9'), dots ('.'), and a terminating null character ('\0'). - Despite these limitations, arbitrary code execution can be achieved. As a proof of concept, we developed a full-fledged remote exploit against the Exim mail server, bypassing all existing protections (ASLR, PIE, and NX) on both 32-bit and 64-bit machines. We will publish our exploit as a Metasploit module in the near future. - The first vulnerable version of the GNU C Library is glibc-2.2, released on November 10, 2000. - We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example. Read more... |
https://threatpost.com/ghost-glibc-...ulnerability-affects-all-linux-systems/110679
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235
Last edited: