SEVEN THINGS YOU NEED TO KNOW ABOUT THE “GHOST” VULNERABILITY

Szilard Stange, Director of Product Management, OPSWAT

Another vulnerability shocked the Linux world on 27th January. The Qualys security research team found a critical vulnerability in the Linux GNU C Library (glibc) that allows attackers to remotely take control of an entire system without having any prior knowledge of system credentials – according to Qualys reports.

What does it mean for you as an Internet user and what does it mean for Linux system administrators? Was it really a shocking event? Here’s everything you need to know.

1. What is “GHOST”?

“GHOST” is the name of a vulnerability recently found in one of the key components of Linux systems. The component is the Linux GNU C Library that is used by all Linux programs. The vulnerability has been found in a function of this library that is used to convert Internet host names to Internet addresses.

If an attacker found vulnerable software and a way to transfer a properly crafted host name up to this function then theoretically the attacker could take over the control of the system.

2. How widespread is it?

This vulnerability affects almost all major Linux distributions, except a few such as Ubuntu 14.04. Millions of servers on the Internet contain this vulnerability.

What does it mean? It means that the vulnerability exists on servers but there should be certain conditions met to render the server remotely attackable. According to Qualys’ report, they have found an email server software called Exim that is remotely exploitable. There is no recent and full deployment share report showing how many public Exim servers are on the Internet, however it has a measurable “market” share but according to some old reports its maximum just  few percent.

Note that to have an exploitable Exim-based email server one has to configure extra security checks for the HELO and EHLO commands of the SMTP protocol.

Fortunately Qualys found that many well-known Linux-based web, email and other server software are not affected by this vulnerability like Apache, nginx, OpenSSH, syslog-ng.

So we can say that apart from that the vulnerability could be found on many servers actually the remotely attackable share of these servers is low.

3. How can I secure my Exim email server?

First of all deploy security fixes to all affected Linux servers as soon as possible. All major distributions have released security patches on the same day the security advisory published the vulnerability.

Keep in mind that to make security patch effective all affected software has be restarted. Many distributions do this automatically during glibc update but many of them leave this job for you.

Please make sure that your Exim server is restarted. This restart causes an SMTP service outage but normally this is only a few seconds and your email server users should not have any major issue because of this. If there was any ongoing SMTP connection – sending or receiving email – that would be aborted due to the restart and then the other side or the Exim will resend the email shortly.

In similar cases the possible impact of an unplanned outage is much lower than the possible impact of a successful attack.

4. Could an attacker do anything else than just take control of an email server?

There is no exact answer to this question. It depends on your deployment and configuration. If you use Exim just for front-end server as a smart host then the attacker can have access to your emails. If your email system is separated, and you do not store any credentials – passwords, SSH private keys, etc. – on the affected servers, then the impact could be relatively low. But if your Exim server hosts the mailboxes and/or has another server software on it then the attacker can have access to your data and in worst case to your other systems also.

If you suspect that your server is attacked successfully, remove the server from operation immediately, plug out all network connections and execute your emergency plan. Do you have plans for such scenarios? You should…

If you do not have such an emergency plan then maybe the easiest and most secure way is to reinstall the whole system.

5. Are my Linux servers safe now?

If you deployed security patches quickly and you have checked that your server software were not affected and/or there is no sign of any attack then you can sit back.

However we don’t have information on all software mainly we don’t know how much 3^rd party software is affected. For example many email security, anti-spam software process email headers and take every Received: header line and they try to resolve host names found in these headers to check them against bad IP databases. So theoretically a specially crafted email message can contain exploit code.

Of course this is only a speculation but it points out that we can never be cautious enough because sometimes the possible consequences of vulnerability cannot be predicted.

It is better to take more attention to your servers, log files and web sites of your Linux distribution and also the web sites of vendors of any 3^rd party software you use on your servers in the next few days to make sure that you do not miss anything important regarding this vulnerability.

6. Is there anything I can do to be prepared for future vulnerabilities?

Just ask yourself: were you nervous after reading the security advisory about “GHOST”? If you just need to execute previously defined steps, such as updating your infrastructure, to make sure that your system is secure then you did a great job as you prepared. However existing processes and infrastructure can always be improved.

Take this time and think about your systems and processes:

•  Is there a faster way to deploy security fixes?
•  Is there any unnecessary/unused service that you can shut down to minimize attack surface?
•  Is there any setting, functionality of any currently used software that you can switch off?
•  Are you subscribed to security advisory alerts? Did you receive “GHOST” alerts in time?
•  Is anybody watching security alerts 24/7 to take all necessary steps immediately when needed?

7. What should I do as an Internet user?

You cannot do much. You are unlikely to be affected by this vulnerability. There is a very small chance that an attacker could send you a fake email or catch your email via a hacked email server or access your personal information stored on a hacked server but the probability is low enough that you should not be worried.