CVE-2015-0235

Or: why I started worrying immediately and learned to give up the 'ghost'

2015-01-31

Long title is long.

So there’s this major security vulnerability out this week that has been given the CVE number of CVE-2015-0235. Because this is a long and kinda hard-to-pronounce-quickly name, many security researchers have given it an adorable name, similar to “Shellshock” and “Heartbleed” before it. This one has been code-named Ghost.

So what exactly is Ghost?

You can read more about it here (and, for the layman, there’s a simpler explanation here). Basically, there’s a bug in a function called __nss_hostname_digits_dots() which allows the a heap-based buffer overflow which will allow an attacker to write (and execute) arbitrary code into memory with the permissions of the process running the function. Under normal and unextrodinary circumstances, this only affects Linux (and maybe some other flavors of Unix) users, and doesn’t affect OS X, Windows, Android, or iOS.

Seems like it’s no big deal and it’s a run-of-the-mill security “vulnerability”, right?

Well, it would be that way, if it wasn’t being used by a DNS-related system call that we all know and love (and shouldn’t be using because it’s outdated) called gethostbyname(), which happens to reside in the standard C library (glibc). You know, that library that lots and lots of programs are compiled against, including good ol’ granddaddy process #1. That’s right, this bug means there’s a vulnerability in the init process, which runs as a daemon and has God-permissions over the entire system.

Oh, crap.

Not to worry! This vulnerability has quickly been patched and the affected services have been recompiled without this vulnerability built in. Just run a full-system update through your package manager (assuming your distro has provided a patch upstream, which at the time of this writing at least RHEL and Ubuntu have done) and restart any affected services.
Wait, I said earlier that this vulnerability affects init. This means you’re going to have to restart init. This means restarting your server. Y’know, that server with 3 years of continuous uptime?

Sadface.

Well, which would you rather have? 3 years of continuous uptime (impressive), or knowing for a fact that your system is safe from being pwned for the time being (security)? A bragging right vs potentially losing your job. Hard choice.

Yeah. If you’re reading this and you haven’t done a full-system update and reboot of your Unix-flavored system (not Mac OS X) within the past month, stop reading this blog and update your systems. Seriously. Do it.


Comments: