Last month, a new and critical vulnerability was uncovered in the GNU C library (glibc). Dubbed colloquially as “GHOST,” the flaw made use of gethostbyname(), one of the most common function calls in Linux. In so doing, it allowed attackers to gain remote control of just about any Linux machine, executing malicious code at their leisure.
“This bug can be triggered both locally and remotely via all the gethostbyname*() functions,” explained Qualys, the company responsible for uncovering the vulnerability. “Applications have access to the DNS resolver primarily through the gethostbyname(*) set of functions. These functions convert a hostname into an IP address.”
Not surprisingly, this made GHOST extremely dangerous – as dangerous, some might say, as Heartbleed, Shellshock, and Poodle.
Now, I’ve got good news and I’ve got bad news. The good news is that because of how serious a vulnerability GHOST happened to be, the vast majority of Linux distros patched out the bug only a few days after it was discovered. By now, anyone who’s recently updated their Linux installation should be more or less safe from GHOST.
So … if it’s no longer a problem, why am I writing about it?
Well, that’s the bad news. As it turns out, GHOST might not be confined strictly to Linux systems. It could affect a wide array of PHP applications and content management systems … including the immensely-popular WordPress.
“Researchers at Veracode this week published their look at GHOST and determined that, like Bash, gethostbyname is relatively everywhere,” writes Threat Post’s Michael Mimoso. “Veracode said that 41% of the enterprise applications uploaded to its platform in the past 90 days rely on glibc to make gethostbyname function calls. The company added that 80% of those potentially vulnerable applications are critical off-the-shelf or homegrown business apps that access databases and backend systems, executing sensitive transactions.”
In other words, GHOST just got a whole lot scarier.
There’s only one silver lining to this news. Unlike Heartbleed and Poodle, GHOST is actually relatively difficult to exploit. It requires a targeted attack – a hacker looking to make use of GHOST needs to target one specific website or organization.
“Unlike with Heartbleed, which was a protocol-level vulnerability, exploiting this vulnerability requires a specially-crafted payload that has been targeted for a specific application and hardware platform,” explained Vercode co-founder and CTO Chris Wysopal. “That means you can’t simply reuse the proof-of-concept exploit developed by Qualys (for the Exim mail server) to attack other applications. As a result, GHOST attacks are more likely to be sophisticated and targeted.”
Alright. So now that you know about GHOST, what can you do to defend your organization?
That’s the good news. All you really need to do is update your operating system/platform. Do that, and it won’t matter if you’ve still got applications that use gethostbyname – there won’t be a vulnerability for them to exploit any longer.
If updating isn’t an option, you can also check your applications to see if any of them make use of gethostbyname (this code from Sucuri can be used to run a test). If they do, patch them so that the call is no longer part of their code. It may also be worthwhile to disable XML-RPC and Pingback Requests, as well.
Either way, you need to see to this as soon as possible. Although GHOST may be more difficult to exploit – and thus less likely to be used as an attack vector – that doesn’t mean your organization isn’t still at risk. The sooner you protect yourself against it, the better.