pixel_dreams - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Qualys finds GHOST: Critical Linux remote code execution flaw

A critical Linux vulnerability, called GHOST, has been found to affect glibc versions released since 2000, and could pose a remote exploit risk on many Linux systems.

Security vendors report a newly discovered critical Linux vulnerability, affecting systems dating back to the year 2000, could lead to remote code execution and allow attackers to gain full control of a target device.

Researchers for Redwood City, Calif.-based security vendor Qualys Inc. discovered the vulnerability, which is officially labeled CVE-2015-0235, but has been nicknamed GHOST because it can be triggered by the "_gethostbyname" function. The flaw, first reported by Threatpost, has been confirmed in Linux systems using GNU C Library (glibc) versions 2.2 and newer, which includes all glibc versions released since Nov. 10, 2000.

Qualys has categorized this as a critical vulnerability due to the vast number of affected systems, and because attackers can exploit the flaw remotely to gain control of a system without having any prior knowledge of system credentials.

"GHOST poses a remote code execution risk that makes it incredibly easy for an attacker to exploit a machine," said Wolfgang Kandek, chief technical officer for Qualys. "For example, an attacker could send a simple email on a Linux-based system and automatically get complete access to that machine."

Once an attacker has access to the machine, it would be easy to remotely install cyberespionage malware or turn machines into botnet "zombies" that execute DDoS attacks on-demand, said Chris Wysopal, CTO and CISO of Burlington, Mass.-based security vendor Veracode Inc. Wysopal also warned that open source components like glibc can be the cause of multiple vulnerabilities.

"In our research, we've found that open source components such as glibc introduce an average of 24 known vulnerabilities into each Web application," said Wysopal. "GHOST won't be as widespread as Heartbleed and Shellshock, but it's widespread enough that IT operations teams at many companies are now scrambling to find all instances so they can patch them ASAP."

Despite the severity of the flaw and how widespread it could be, Qualys noted that there is an easy way to mitigate the risk by applying an existing patch.

"We discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18)," said Qualys in an advisory posted to the OSS-Security mailing list. "Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed, and still are:  Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example."

Patches are necessary for all affected Linux distributions (those using glibc version 2.18 or earlier), though most are still forthcoming. Red Hat Inc. has already released an update for its Enterprise Linux Server and Desktop v. 5 products.

Next Steps

Learn why it is always wise to consider patch release schedules when choosing a Linux distribution.

Dig Deeper on Alternative operating system security