All you need to know about the 'GHOST' vulnerability

A sysadmin's nightmare

Heartbleed

Another vulnerability shocked the world of technology and the Linux community earlier this week. The Qualys security research team found a critical vulnerability in the Linux GNU C Library (glibc) that allows attackers to remotely take control of an entire system without having any prior knowledge of system credentials according to the security outfit.

What does it mean for you as an Internet user and what does it mean for Linux system administrators? Was it really a shocking event? Here's everything you need to know in seven short questions.

1. What is "GHOST"?

"GHOST" is the name of a vulnerability recently found in one of the key components of Linux systems. The component is the Linux GNU C Library that is used by all Linux programs. The vulnerability has been found in a function of this library that is used to convert Internet host names to Internet addresses.

If an attacker found vulnerable software and a way to transfer a properly crafted host name up to this function then theoretically the attacker could take over the control of the system.

2. How widespread is it?

This vulnerability affects almost all major Linux distributions, except a few such as Ubuntu 14.04. Millions of servers on the Internet contain this vulnerability.

What does it mean? It means that the vulnerability exists on servers but there should be certain conditions met to render the server remotely attackable. According to Qualys' report, they have found an email server software called Exim that is remotely exploitable. There is no recent and full deployment share report showing how many public Exim servers are on the Internet, however it has a measurable "market" share but according to some old reports it's just a few percent.

Note that to have an exploitable Exim-based email server one has to configure extra security checks for the HELO and EHLO commands of the SMTP protocol. Fortunately Qualys found that many well-known Linux-based web, email and other server software are not affected by this vulnerability like Apache, nginx, OpenSSH, syslog-ng.

So we can say that apart from that the vulnerability could be found on many servers actually the remotely attackable share of these servers is low.

3. How can I secure my Exim email server?

First of all deploy security fixes to all affected Linux servers as soon as possible. All major distributions have released security patches on the same day the security advisory published the vulnerability.

Keep in mind that to make security patch effective all affected software has be restarted. Many distributions do this automatically during glibc update but many of them leave this job for you.

Please make sure that your Exim server is restarted. This restart causes an SMTP service outage but normally this is only a few seconds and your email server users should not have any major issue because of this. If there was any ongoing SMTP connection – sending or receiving email – that would be aborted due to the restart and then the other side or the Exim will resend the email shortly.

In similar cases the possible impact of an unplanned outage is much lower than the possible impact of a successful attack.

4. Could an attacker do anything else than just take control of an email server?

There is no exact answer to this question. It depends on your deployment and configuration. If you use Exim just for front-end server as a smart host then the attacker can have access to your emails. If your email system is separated, and you do not store any credentials – passwords, SSH private keys, etc. – on the affected servers, then the impact could be relatively low. But if your Exim server hosts the mailboxes and/or has another server software on it then the attacker can have access to your data and in worst case to your other systems also.