SecureState Blog

Read SecureState's award winning blog.

The Phantom Exploit

The Phantom Exploit

Researchers at Qualys recently warned organizations about a remote code execution vulnerability in the Linux GNU C Library (glibc). Named GHOST, this is a buffer overflow vulnerability that affects the GetHOSTbyname functions used to resolve host names in glibc. Ghost has been compared to Heartbleed (CVE-2014-0160), Poodle (CVE-2014-3566), and Shellshock (CVE-2014-6271), but is it as serious a threat?

Why Ghost has the Potential to be Serious

Glibc resolves domain names into IP addresses by applications. Similar to the Shellshock Bash vulnerability, any application that uses the affected functions in vulnerable version of glibc (practically any application that goes online) is at risk of being exploited.

Why It Is Not That Big of a Deal

Although GHOST affects a lot of systems, it is much more difficult to exploit than similar vulnerabilities. To successfully exploit this vulnerability, an attacker has to tghostarget a specific application that uses the vulnerable functions in a manner that allows the attacker to control the parameters. While this was also the case with ShellShock and Heartbleed, the conditions were more easily and commonly manipulated. This difficulty is indicated by the lack of public exploits resulting in code execution being released in the weeks since the vulnerability was announced. It is likely that we will see a weaponized exploit eventually, but it will probably not be as widely exploited as Heartbleed or Shellshock due to the specificity of the parameters needed to successfully gain code execution.

SecureState’s Recommendation

SecureState’s recommendation is simple: Patch and restart your machine. Red Hat, Debian, Ubuntu, and Novell have all issued patches. Once you have updated your system, reboot the server, including web and mail servers.