GHOST is the name given to a new security vulnerability which has been discovered in part of the Linux platform. The fact that it has been given a name rather than just a number reflects on the potentially serious and widespread nature of the vulnerability.
What is it?
Specifically, the GHOST vulnerability is found in a piece of code which helps translates between network device names and IP addresses (E.g. “google.com” and “18.104.22.168”). The vulnerability can be exploited by feeding in a specially crafted address which ultimately leads the attacker to being able to gain control of the affected device.
What’s the Risk?
Despite the media hype surrounding this vulnerability, the risk is actually quite low compared to previous “named” vulnerabilities such as Heartbleed, Shellshock and POODLE. This is because although affected code is widely used, it is very difficult to exploit the vulnerability (to feed in one of these specially crafted addresses) unless you already have a high level of control over the device running the code.
To date, only one specific application (detailed below) has been shown to be remotely exploitable – that is, anyone from anywhere could gain control of a device without needing access to it already. This may change in the future!
What might be affected?
There is a risk that more applications will be shown to be vulnerable as GHOST is investigated by people trying to exploit it. As such, any Linux based device with networking capabilities (not just PC and Servers but also firewalls, switches and routers, many of which are based on a Linux operating system) may turn out to be affected.
At the current time, only the EXIM Mail Transfer Agent is known to be susceptible to attack. You can tell if this software is present on a device by running the command “exim –bV” on the command line of the device you’re concerned about. If the command returns anything other than “command not found” then it is likely that EXIM is installed.
You may not be able to test all devices, such as switches, routers and firewalls, using the method above.
What do I need to do?
Waterstons would highly recommend patching of any servers or devices running the Exim mail transfer agent as soon as possible. Various hardware appliances are based on Linux and may use Exim – for example for gateway mail filtering. It is recommended that the vendors of such appliances are contacted to determine whether they are affected.
We also recommend that you review current patching schedules to ensure all Linux devices are patched routinely.
Finally, if any devices do require patching, be sure to restart them as soon as possible to ensure the patch is applied completely.