The dust is still settling here at Qualys after the discovery of the Linux GHOST vulnerability back in January, but we already observed some valuable lessons. While GHOST sparked some debate in the industry with regards to whether or not the vulnerability was severe enough to take action, it also once again highlighted the common questions associated with such a discovery.
Specifically: how likely is this vulnerability to be exploited? How quickly and inclusively do I need to react? Here we dive deeper into GHOST and what organisations should do to ensure they have properly addressed the impact on their security posture.
First, some background. During the course of analysing potential vulnerabilities, our security researchers at Qualys found a critical problem in a basic part of the Linux operating system, the GNU C Library (also known as glibc). This library is a core part of Linux, and all Linux programs use it for basic operations. Many internet-facing programs run on Linux, making a remote attack quite likely. In our initial advisory we outlined the proof-of-concept for such an attack using the EXIM mail server as an example.
Any Linux program that uses the glibc function "gethostbyname" is potentially vulnerable. GHOST refers to a weakness in this function that maps human readable names such as www.qualys.com to IP addresses such as 126.96.36.199 – a basic function exercised billions of times a day. It is in this function that the vulnerability was found. If the attacker can influence the address to be translated and is allowed to provide an abnormally long (greater than 1000 characters) address, the vulnerability is triggered.
A program can protect itself by, for example, refusing to accept an address that is so long (the relevant internet standard limits length to 255 characters), but many do not have this additional check. To illustrate this behaviour, when we ran the original advisory, Qualys included references to four programs that had this issue as well as some programs that were not vulnerable.
Ultimately it is difficult to decide whether a program is vulnerable, but attackers have access to fuzzing algorithms that can automate the finding of problematic instances, and of course with access to the source code can just look for the usage of the vulnerable function.
Protection from poltergeists
One of the more controversial elements of the GHOST vulnerability has been the discussion around the urgency of the fix. Few will argue that fixing the vulnerability is unimportant, but there was a large amount of discussion around exactly how exploitable and dangerous GHOST is.
The most common issue raised was the difficulty in exploiting the vulnerability. For GHOST to be exploited by an attacker, a particular set of circumstances needs to be fulfilled. The attacker needs to be able to provide the long hostname to an accessible program that does not sanitise its inputs. This situation led some to deprioritise the patch or even not to patch at all.
However, just a few weeks after the initial release researchers at Sucuri found that the popular blogging software Wordpress fulfilled the listed circumstances. A feature called "pingback" allows the attacker to provide a lengthy hostname that gets passed unfiltered to the underlying PHP engine, which uses the "gethostbyname" function directly on the passed argument. Wordpress has millions of installations, the majority directly on the internet. Shortly thereafter Veracode published their statistics on enterprise web applications and stated that at least 25% make use of the vulnerable function.
We believe the best way to mitigate risk is to apply a patch from your Linux vendor. Qualys has worked closely with Linux distribution vendors and patches are available today (see the list here). While we do not recommend patching blindly, we think a speedy resolution is important, starting with internet exposed systems.
There is much to be lost by refusing to apply a patch and everything to gain by protecting your network from unwarranted access. Attackers are working hard to find exploits for GHOST and administrators cannot fall back on the belief that nothing which has been reported thus far impacts them.
Ready for next time
A vulnerability scanning solution can provide reports detailing your enterprise-wide exposure and allows you to get visibility into the impact within your organisation, and efficiently track the remediation progress of this serious vulnerability.
GHOST was not the first time that we have seen such a wide reaching vulnerability in the Linux operating system and it won't be the last. The work you are doing now to catalogue and prioritise systems will be beneficial for your team when the next vulnerability occurs, allowing you to look at the problem calmly, prioritise systems and then patch accordingly. After all, even something that looks initially harmless has the potential to significantly impact the security of your network.
- Wolfgang Kandek is CTO at Qualys