Another Linux 0-Day (GHOST)

[alex kot]

Well not so much of a 0-Day since this bug was discovered and slowly patched almost 2 years ago.  This exploit can allow malicious user to allow remote code execution to a full compromise.  So just make sure you are running a version of GLIBC above 2.17.  More info on the link below.  Also props to that company for working with all the vendor years in advance and still not releasing a POF (proof of concept).

https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability

[admf...@gmail.com]

lets stay clear headed about this..

http://techrights.org/2015/01/28/spooky-qualys-fud/

it is nothing but Qualys trying to trump up their business.

On Tue, 27 Jan 2015 16:23:10 -0500, alex kot <ak4...@gmail.com> wrote:

Well not so much of a 0-Day since this bug was discovered and slowly patched almost 2 years ago.  This exploit can allow malicious user to allow remote code execution to a full compromise.  So just make sure you are running a version of GLIBC above 2.17.  More info on the link below.  Also props to that company for working with all the vendor years in advance and still not releasing a POF (proof of concept).

https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability

--
You received this message because you are subscribed to the Google Groups "Akron Linux Users Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to akronlug+u...@googlegroups.com.
To post to this group, send email to akro...@googlegroups.com.
Visit this group at http://groups.google.com/group/akronlug.
For more options, visit https://groups.google.com/d/optout.

[Patrick Regan]

On Wed, Jan 28, 2015 at 11:27 PM, <admf...@gmail.com> wrote:

lets stay clear headed about this..

Indeed. But I wouldn't necessarily qualify this as just trying to trump up Qualys business. This is in practice a bit harder to exploit than say Shellshock, but it is in glibc. Which as some of us know too well, touches a butt-load of things in Linux.

As for "it was already patched." That doesn't' mean the risk is nothing. The fact that glibc touches everything means that you can't just do a `yum upgrade` and call it good. You have to restart everything that uses glibc so you grab the new links. The "only exim is truly vulnerable" argument also minimizes how terrible that actually is.

So no, we don't have to call this the next Shellshock, but saying it's FUD is also a bit hyperbolic IMHO.

[alex kot]

Granted some distros patch it a while back, like 2 years ago https://chromium.googlesource.com/chromiumos/overlays/chromiumos-overlay/+/7738d06627941a2119ba15f3472320c5cecc7be6/sys-libs/glibc/files/local/glibc-2.15-nss-buffer-overflow.patch 

Most distros didn't find this as a concern.

Your Redhat and Ubuntu based servers will need patched.

As for "It only works on exim FUD".  The PoC was built using exim.  They also ruled out many applications that are not affected by this. http://seclists.org/oss-sec/2015/q1/283

Though this doesn't mean much with that large exception, since almost everything uses glibc.....  though in recent news Rapid 7 posted a PoC using PHP....so if you have a web server patch it ASAP.  Though patch it in general since this is the 5th software known to have the issue.  I am sure that number will go up tomorrow.

http://threatpost.com/php-applications-wordpress-subject-to-ghost-glibc-vulnerability/110755