glibc Vulnerability Puts Certain Linux Systems at Risk
Security experts at Qualys announced the discovery of a vulnerability in the glibc
library that affects the library’s gethostbyname
functions. Because glibc is built into so many open source applications, the number of vulnerable systems and applications is unknown. The problem, dubbed GHOST, is based on a buffer overflow and is immune from many built-in defenses, including malloc
hardening and no-execute safeguards.
Qualys expressed alarm about the attack but pointed out that not all glibc-based applications are affected. Tests show that Apache, cups, gnupg, isc-dhcp, mariadb, mysql, openldap, samba, and many other common tools are not vulnerable – either because they don't use the vulnerable functions or because they have developed their own solutions.
The most alarming discovery so far is that the Exim mail server, which is the default mail transfer agent for Debian, actually IS vulnerable.
Interestingly, a glibc patch released in May 2013 fixed the problem, but it was not billed as a security update and thus was not incorporated in many major distros, including Debian.
After the initial announcement of the GHOST vulnerability, other security experts have said the problem isn't as widespread as first imagined. Although they recommend patching as soon as possible, some commentators have observed that GHOST requires the functions to be used in a specific way within the application, and they point out that the afflicted functions within the library were already considered out of date by many programmers. Cisco has announced that its systems aren't vulnerable because the gethostbyname
functions do not support IPv6 and thus have been deprecated for Cisco routers for around 15 years.
Qualys worked with Linux vendors to develop security patches before the public announcement. Linux users are advised to update their systems.