We ain’t afraid of no Ghost

unnamedThe lovely boys and girls at Qualys have been hard at work running their beady eyes over Linux source code and have found yet another vulnerability in an old library which makes old unpatched Linux systems vulnerable from the inside or outside. The first of our 2015 predictions comes true in two weeks!

Triggered by the GetHOST functions it has been labeled the GHOST vulnerability.  Vulnerable versions of the glibc library are between glibc-2.2 released way back in November 2000. The vulnerability takes the form of a buffer overflow and was actually fixed in May 2013 (by some eagle eyed coder), however since it was never identified as a security issue, many systems were never patched.

If you want the lightweight version of the advisory take a look at this:

If you have your hat with the propeller on top of it at the ready, this is the bad boy for you: https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt

Qualys has built a fully functioning exploit against the Exim mail server and other mail servers, MySQL servers, Secure Shell servers, form submission apps may also be vulnerable.

Qualys has also done us all a favour by identifying apps it believes to be not afraid of no GHOST: The list includes Apache, Cups, Dovecot, GnuPG, isc-dhcp, lighttpd, mariadb/mysql, nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd, pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers, vsftpd, and xinetd.

Qualys hasn’t released the actual exploit code but the article above contains clues that would make Dan Brown proud.

The priority is to patch your kit which may well involve a reboot, be warned.

Obviously Qualys scanners can identify if your systems are vulnerable. If you are a NetSure360° customer this will be done automatically. If you are not a NetSure360° customer, or not even an ITC customer at all (shame on you) and would like us to arrange an external scan of any of your servers, please contact us at: [email protected] or call 020 7517 3900

We don’t believe in coincidences here at ITC towers and find it hard to believe that this isn’t stealth marketing for the remake (yes that is remake not reboot, grrr) of Ghostbusters, whose all girl cast was announced on the same day as this GHOST vulnerability was announced. Spooky.