CVE-2015-0235 “Ghost” Linux glibc vulnerability

For those that missed it, CVE-2015-0235 (aka Linux Ghost) was announced today which details a glibc library bug that is still on many Linux distributions. glibc is used by many applications including webservers, mail servers, php applications etc.

The specific bug was in the gethostbyname() and gethostbyname2() functions (hence “ghost” name!), so only applications that call these are potentially vulnerable. Even then, there is limited scope for exploitation, but there already has been a PoC for the Exim mail server developed so it certainly is possible (given the right conditions). Luckily, these two functions lack IPv6 support, so many newer applications and services have chosen to stop using these functions, and instead use IPv6-enabled functions instead. As has been seen however, some popular ones such as Exim do still use the older IPv4-only functions.

The bug itself has been around since 2000, and was inadvertently patched in August 2014 without realising the implications. Unfortunately since the security issues were not detected at the time, many Linux distributions didn’t back-port the patch into Linux distributions. This is what has occurred today.

Accordingly, we have now taken the following actions:

  • All standard-level webservers globally and chroot environments have been patched and restarted between 6:30AM and 7:15AM this morning.
  • All mail servers were patched and restarted between 6:30AM and 7:15AM this morning.
  • We will be taking the following actions that may result in a few minutes downtime for some sites tonight:

  • All protected-level webservers globally and chroot environments will be patched and restarted overnight at varying times (critical maintenance alert will have been received by all affected customers). As these are all behind load balancers, this shouldn’t have any end-user affect.
  • RackCorp monitoring services will be restarted throughout the day. This may result in some performance graphs being slightly skewed at times.
  • In addition:

  • VM Hosts will have no noticeable impact.
  • Load Balancer services will have no noticeable impact.
  • RackCorp API services will have no noticeable impact (however some unrelated database maintenance is scheduled for tonight that may result in queries taking a few seconds longer than usual).
  • Content delivery services are unaffected.
  • Network services are unaffected.
  • In terms of customer patch cycles, we are treating this as a critical bug for some customers, and moderate (normal patch cycle) for others depending upon the attack vector surface area. All affected customers will have received an email accordingly. If you are unsure of the impact for your specific services, please raise a support ticket accordingly.

    Additional useful resources:
    Ars Technica Writeup on Linux Ghost
    gethostbyname() vs getaddrinfo() by Erratasec

    [del.icio.us] [Digg] [StumbleUpon] [Technorati] [Windows Live]