GHOST CVE-2015-0235

GHOST

Two days ago, details were published about a vulnerability in glibc versions 2.2 – 2.17 involving the gethostbyname() function. Debian/GNU Linux Wheezy 7.x is affected as it deploys a version of glibc based on v2.13.

The real impact has been pretty unclear in the beginning and a PoC for exim (w/ a non-standard config setting) was released by Qualys, but after some more ppl were looking at it, at least wordpress installations running on unpatched systems seem to be vulnerable.  The php affection can be tested by running

php -r '$e=”0″;for($i=0;$i<1337;$i++){$e="0$e";} gethostbyname($e);'

at the command line. If a segfault occurs, the installation is vulnerable and a buffer overflow will take place, overwriting the defined RFC compliant buffersize of 255 characters for domain names.

There are quite some sites decribing the vulnerability more detailed in general and wordpress related.

In general, it is enough to apply distribution specific patches and restart affected services afterwards. However, in a more complex setup, it seems reasonable to also reboot the machine to be sure that nothing is still using the old vulnerable version of glibc.

I guess we are probably going to see more impacts than initially thought throughout the next few days, because theoretically, any application or programming language that uses code involving glibc’s gethostbyname() function poses a potential risk.

Shellshock CVE 2014-7169

shellshock-small-191f9cbb5f501b25

As if Heartbleed was not enough impact, shellshock just happened. Internet Storm Center already switched to yellow.

The Problem here is also that Squeeze versions do not automatically have the right sources to get security updates. What you need in /etc/apt/sources.list is

deb http://http.debian.net/debian/ squeeze main contrib non-free
deb-src http://http.debian.net/debian/ squeeze main contrib non-free
deb http://security.debian.org/ squeeze/updates main contrib non-free
deb-src http://security.debian.org/ squeeze/updates main contrib non-free
deb http://http.debian.net/debian squeeze-lts main contrib non-free
deb-src http://http.debian.net/debian squeeze-lts main contrib non-free

Since you have to manually do this, alot of systems will not get updated for quite some time (which is nothing new as vulnerable systems are what all of the permanently growing botnets consist of).

The impact is quite uncertain, as anything using the bash shell can potentially be affected. Webservers executing CGI skripts for example become extremely dangerous, so quick patching is a must as there are already mass scans ongoing.

Update: As expected, still more CVE incoming: 

CVE-2014-7186    CVE-2014-7187

CVE-2014-6271    CVE-2014-6278

290914 @ 02:51: I am beginning to see scans and exploit attempts targetting vulnerable webmin installations on port 10000/tcp in the relevant netflow data.

It becomes clear that most attack sources seem to be server installations spread widely across the globe, which is another indication for the big impact of shellshock! Also, every box compromised via shellshock will scan and try to infect other boxes – not only for the shellshock vuln – so that we will see a general increase in malware activity.