Seven things you need to know about the ‘GHOST’ vulnerability
- Published: Friday, 06 February 2015 09:39
By Szilard Stange.
Another vulnerability shocked the Linux world on 27th January 2015. The Qualys security research team found a critical vulnerability in the Linux GNU C Library (glibc) that allows attackers to remotely take control of an entire system without having any prior knowledge of system credentials.
What does it mean for Linux system administrators? Was it really a shocking event? Here's everything you need to know:
1. What is GHOST?
GHOST is the name of a vulnerability recently found in one of the key components of Linux systems. The component is the Linux GNU C Library that is used by all Linux programs. The vulnerability has been found in a function of this library that is used to convert Internet host names to Internet addresses.
If an attacker found vulnerable software and a way to transfer a properly crafted host name up to this function then theoretically the attacker could take over the control of the system.
2. How widespread is it?
This vulnerability affects almost all major Linux distributions, except a few such as Ubuntu 14.04. Millions of servers on the Internet contain this vulnerability.
What does it mean? It means that the vulnerability exists on servers but there should be certain conditions met to render the server remotely attackable. According to Qualys’ report, they have found an email server software called Exim that is remotely exploitable. There is no recent and full deployment share report showing how many public Exim servers are on the Internet, however it has a measurable ‘market’ share but according to some reports it's limited to just a few percent.
Note that to have an exploitable Exim-based email server one has to configure extra security checks for the HELO and EHLO commands of the SMTP protocol.
Fortunately Qualys found that many well-known Linux-based web, email and other server software are not affected by this vulnerability like Apache, nginx, OpenSSH, syslog-ng.
So we can say that apart from that the vulnerability could be found on many servers actually the remotely attackable share of these servers is low.
3. How can I secure my Exim email server?
First of all deploy security fixes to all affected Linux servers as soon as possible. All major distributions have released security patches on the same day that the security advisory detailed the vulnerability.
Keep in mind that to make security patches effective all affected software has to be restarted. Many distributions do this automatically during glibc update but many of them leave this job for you.
Please make sure that your Exim server is restarted. This restart causes an SMTP service outage but normally this is only a few seconds and your email server users should not have any major issue because of this. If there was any ongoing SMTP connection – sending or receiving email – that would be aborted due to the restart and then the other side or the Exim will resend the email shortly.
In similar cases the possible impact of an unplanned outage is much lower than the possible impact of a successful attack.
4. Could an attacker do anything else than just take control of an email server?
There is no exact answer to this question. It depends on your deployment and configuration. If you use Exim just for a front-end server as a smart host then the attacker can have access to your emails. If your email system is separated, and you do not store any credentials – passwords, SSH private keys, etc. – on the affected servers, then the impact could be relatively low. But if your Exim server hosts the mailboxes and/or has another server software on it then the attacker can have access to your data and in worst case to your other systems also.
If you suspect that your server is attacked successfully, remove the server from operation immediately, plug out all network connections and execute your emergency plan. Do you have plans for such scenarios? You should...
If you do not have such an emergency plan then maybe the easiest and most secure way is to reinstall the whole system.
5. Are my Linux servers safe now?
If you deployed security patches quickly and you have checked that your server software were not affected and/or there is no sign of any attack then you can sit back. However, we don't have information on all software: mainly we don't know how much third party software is affected.
To be on the safe side, pay special attention to your servers, log files and the websites of your Linux distributor and vendors of any third party software you use on your servers in the next few days to make sure that you do not miss anything important regarding this vulnerability.
6. Is there anything I can do to be prepared for future vulnerabilities?
Just ask yourself: were you nervous after reading the security advisory about GHOST? If you just needed to execute previously defined steps, such as updating your infrastructure, to make sure that your system is secure then you did a great job: you were well prepared. However existing processes and infrastructure can always be improved. Take this opportunity to think about your systems and processes:
- Is there a faster way to deploy security fixes?
- Are there any unnecessary/unused services that you can shut down to minimize the attack surface?
- Is there any setting or functionality of any currently used software that you can switch off?
- Are you subscribed to security advisory alerts? Did you receive GHOST alerts in time?
- Is anybody watching security alerts 24/7 to take all necessary steps immediately when needed?
7. What should I do as an Internet user?
You cannot do much. You are unlikely to be affected by this vulnerability. There is a very small chance that an attacker could send you a fake email or catch your email via a hacked email server or access your personal information stored on a hacked server but the probability is low enough that you should not be worried.
Szilard Stange is director of product management, OPSWAT.