Q: What’s been around for 15 years and was fixed in 2013, but is still bedeviling Linux systems?
A: The extremely serious “Ghost” vulnerability.
Most Linux software companies and server administrators were shocked in January, when the cloud security firm Qualys revealed that a bug present in most Linux systems is actually an extremely critical flaw. The vulnerability could allow hackers to remotely take control of computers to run arbitrary and nasty code, just by sending a malicious email which creates a buffer overflow. The bug is known by the official designation CVE-2015-0235, but has been nicknamed “Ghost.”
The problem has actually been present in the GNU C library which is known as glibc (and is the code library used by most Linux machines) since the year 2000. It was discovered in 2013 and fixed in newer software releases. But since it wasn’t recognized as a security problem at that time, most existing versions of Linux weren’t updated. That means long-term installations such as Red Hat Enterprise 6 and 7, CentOS 6 and 7, Debian 7 and Ubuntu 12.04 are still running with a “ghost in the machine.”
The importance of this vulnerability is evident when considering that almost all Linux software which resolves domain names can potentially be affected. That means it’s not just the server itself which is at risk, but a huge number of client applications as well.
Qualys realized the severity of Ghost while performing a routine code audit. It then executed malicious software with a test attack against an Exim mail server running on a Linux box, obtaining full access to the machine via remote shell. But the company says that most other types of mail servers, as well as secure shell servers, MySQL servers, and form submission apps can be vulnerable. A few apps that Qualys bellieves are safe include Apache, openssh, samba and sendmail.
Linux vendors have begun releasing patches, but it will take some time before updates are available for all glibc packages. And once a patch is installed, it will be an annoyance for all involved. Glibc is used by almost every service running on a Linux machine, so either every service will have to be restarted individually, or the entire server will have to be rebooted.
At this point, Qualys is not revealing details of the exploit itself and says it won’t do so until 50% of all machines which are affected by Ghost have been patched. After that, the company plans to release a Metasploit toolkit which can be used to test individual machines.
It’s been a bad year for open-source software and online security, as Ghost is just the latest major vulnerability to be discovered. In April 2014 the Heartbleed vulnerability in OpenSSL was revealed. In September the news was about Shellshock, the bug in Unix Bash shells which allowed widespread attacks on several major companies and institutions (reportedly including Yahoo and the U.S. Department of Defense). And the next month Google made everyone aware of the Poodle SSL issue which could let hackers take over public browser sessions by forcing an SSL downgrade.
Experts say that Ghost could potentially be as serious as those other vulnerabilities. However, since it largely involves servers and not individual computers patches can be created and installed much more quickly, hopefully limiting the widespread exposure seen with bugs like Shellshock.