Critical 15 Year-old Linux Security Hole (Ghost) Revealed

Security researchers at qualys.com yesterday released information on a critical 15 year-old Linux security hole which affects millions of Linux systems dated back to the year 2000.  The newly published security hole – code named ‘Ghost’  was revealed yesterday by Qualy’s security group on openwall.com.

The security hole was found in the __nss_hostname_digits_dots() function of the GNU C Library (glibc).

The function is used on almost all networked Linux computers when the computer tries to access another networked computer either by using the /etc/hosts files or, more commonly, by resolving a domain name with Domain Name System (DNS)

As noted by the security team, the bug is reachable both locally and remotely via the gethostbyname*() functions, making it possible remotely exploit it by triggering a buffer overflow by using an invalid hostname argument to an application that performs DNS resolution.

The security hole exists in any Linux system that was built with glibc-2.2 which was released in November 10th, 2000. Qualy mentioned that the bug was patched on May 21st, 2013 in releases glibc-2.17 and glibc-2.18.

Linux systems that are considered vulnerable to the attack include RedHat Enterprise Linux 5, 6 and 7, CentOS 6 and 7,  Ubuntu 12.04 and Debian 7 (Wheezy).

Debian has is already patching its core systems (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=776391) while Ubuntu has already patched its 12.04 and 10.04 distributions (https://www.ubuntu.com/usn/usn-2485-1/). CentOS patches are also on their way.