The Ghost vulnerability: how does it work and what are the solutions?
January 2015 by NBS System
After the discovery of the Ghost flaw putting in danger Linux servers, we wish to explain it with more in depth and to make it comprehensible for as many people as possible.
© Boguslaw Mazur
THE GHOST FLAW: CONTEXT
The Ghost flaw, whose high danger level has been exposed on January 27th by the company Qualys, threatens the security of Linux servers. It is a coding error located in the “Glibc” library, used by all the Linux machines and potentially allowing attackers to retrieve data, plant a botnet on a machine (Trojan horse enabling to use the computer as a support for future attacks), or even take control over the machines, all of this remotely.
High-risk servers such as those belonging to renowned or large databases-owning companies must be quickly protected. In this article, we will start by explaining what the Ghost flaw is, and then mention some solutions to avoid the risks linked to this flaw.
How does it work?
What is a program?
The word “program” covers many categories: operating systems (Windows, Linux), web browsers (Firefox, Chrome), applications… Actually, there are sequences of instructions given to the machine, specifying step by step the operations that need to be executed to obtain the result to a request. When a request is send to a program, the latter uses several functions to achieve the result. These functions are stored in libraries; some are shared between a few specific programs that have the same needs, others are widely used by everyone.
One of those contains basic functions, vital to the working of any program: it is the “Libc” library. A simple example: the function “printf ()”, allowing to print on display a character on the screen, is provided by it.
In truth, the “Libc” library is the cornerstone of pretty much every program. To understand it, we need to go deeper and find out how a program works. A computer’s processor “talks” in its own language, the “machine language”, which is as precise as it is extremely complicated. Thus, there is a second language level, needing less code lines and enabling to “talk” more easily with the machine: the C. It is the most performing language, but it is still kind of complicated to understand and to use. That is why there also is a third level, which includes the most widely known and used types of code: PHP, Java, Python… These languages are actually C-based and add their own instructions to this kernel.
In this way, even if all programs do not use the same final language, a huge part of them is based on C, and “Libc” (Lib- for library and -C for the name of the language) is the library that gathers all the basic function usable in C. It is thus used by all. The example of the « gethostbyname () » function
We are now going take as an example one of the functions included in the “Libc”: the one allowing to get the IP address corresponding to the requested domain name. This is one of the steps the program goes through in order to load an Internet page, for instance. This function, “gethostbyname ()”, is accessible by all programs.
To write a function, and by extension a program, one must declare variables, as well as parameters linked to this variable, in the source code. For the “gethostbyname ()” function, one declares for example the FQDN variable (Fully Qualified Domain Name, such as www.toto.com) and states that is must not exceed a determined number of characters.
If this condition is respected, the program will go look for the matching information in the corresponding RAM (memory) part of the computer. In our example, it is the IP address linked to the domain name. However, if the number of predetermined signs is exceeded and nothing was planned to block the request, then one exceeds the variable capacity and touches some memory space that is not dedicated to this variable. The program will fall, and the request will seek to use some other resources of the machine.
The Linux case: Glibc and the Ghost flaw as it is The Ghost flaw works like that. Even if it is much more complex and large than the only one function example given above, it basically matches it. On many “gethostby… ()” functions (hence the Ghost name), there is a risk of characters’ size misuse, following a coding mistake or, more accurately, a lack of security in the coding.
This flaw is located in the “Glibc” library, created by the GNU group which, wishing to increase the freedom and control of computer users, made it and its source code available to anyone. Being used to adding a G as a prefix to all their creations, they named the library Glibc. It is part of the Linux “distributions”, which is why only this operating system is concerned by the flaw. Glibc contains a massive number of functions, allowing for instance the management, widely speaking, of the network.
The actual Ghost-related risks
Even if the flaw must be quickly patched in order to avoid attacks, it is not so simple to take advantage of these exploits. Indeed, it is not enough to exceed the number of imposed signs to be able to exploit the machine. An ill-intended person will have to type an exceedingly long domain name followed by a fitted parameter in order to have access to the rest of the machine (in www.toto.com/index.php, “index.php” is the parameter). It is as if they forged a badge to enter some locked offices; they create a self-made authorization for the machine not to block them at the entrance of the memory space. That is why, even if the flaw has been brought out into the wild, it is important to react quickly to prevent potential attackers to take advantage of the vulnerability of the machines.
SOLUTIONS TO PROTECT YOUR MACHINE
First things first, an investigation by Qualys showed that some “targets” are theoretically safe from the danger of being exploited. These targets are: Apache, Cups, Dovecot, Gnupg, Isc-dhcp, Lighttpd, Mariabd/mysql, Nfs-utils, Nginx, Nodejs, Openldap, Openssh, Postfix, Proftpd, Pure-ftpd, Rsyslog, Samba, Sendmail, Sysklogd, Syslog-ng, Tcp_wrappers, Vsftpd, Xinetd.
For How to avoid the Ghost flaw? As a matter of fact, solving this vulnerability is simple to the end user. As soon as of Januray 27th evening, updates were available for most major Linux distributions:
• Red Hat for OS RHEL 5, 6 and 7
• Ubuntu for its 10.04 and 12.04 versions
• SUSE, where only the 11 and inferior versions were touched
• Debian 6 and 7
• CentOS 6 and 7
Thus, the two actions to take are:
Update of the "Glibc" library thanks to the package manager of the OS
Restart every service running on the machine so they reload the new Glibc. Alternatively, it is strongly recommended, when possible, to completely reboot the operating system after updating of the library, so that there is no trace left of the old Glibc in the machine’s memory.