The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of glibc: buffer overflow of gethostbyname, GHOST

Synthesis of the vulnerability 

An attacker can for example send an email using a long IPv4 address, to force the messaging server to resolve this address, and to generate a buffer overflow in gethostbyname() of the glibc, in order to trigger a denial of service, and possibly to execute code. Several programs using the gethostbyname() function are vulnerable with a similar attack vector.
Impacted software: Arkoon FAST360, GAiA, CheckPoint IP Appliance, Provider-1, SecurePlatform, CheckPoint Security Gateway, CheckPoint VSX-1, Cisco ASR, Cisco Catalyst, IOS XE Cisco, IOS XR Cisco, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco CUCM, XenServer, Clearswift Email Gateway, Debian, Unisphere EMC, VNX Operating Environment, VNX Series, Exim, BIG-IP Hardware, TMOS, HPE BSM, HP Operations, Performance Center, Junos Space, McAfee Email and Web Security, McAfee Email Gateway, McAfee MOVE AntiVirus, McAfee NSP, McAfee NTBA, McAfee NGFW, VirusScan, McAfee Web Gateway, openSUSE, Oracle Communications, Palo Alto Firewall PA***, PAN-OS, PHP, HDX, RealPresence Collaboration Server, RealPresence Distributed Media Application, RealPresence Resource Manager, Polycom VBP, RHEL, SIMATIC, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu, Unix (platform) ~ not comprehensive, WordPress Core.
Severity of this computer vulnerability: 4/4.
Creation date: 27/01/2015.
Revision date: 27/01/2015.
Références of this announce: 198850, 199399, c04577814, c04589512, CERTFR-2015-AVI-043, cisco-sa-20150128-ghost, cpujul2015, cpujul2017, cpuoct2016, cpuoct2017, cpuoct2018, CTX200437, CVE-2015-0235, DSA-2019-197, DSA-3142-1, ESA-2015-030, ESA-2015-041, GHOST, HPSBGN03270, HPSBGN03285, JSA10671, K16057, KM01391662, MDVSA-2015:039, openSUSE-SU-2015:0162-1, openSUSE-SU-2015:0184-1, PAN-SA-2015-0002, RHSA-2015:0090-01, RHSA-2015:0092-01, RHSA-2015:0099-01, RHSA-2015:0101-01, RHSA-2015:0126-01, SB10100, sk104443, SOL16057, SSA:2015-028-01, SSA-994726, SUSE-SU-2015:0158-1, USN-2485-1, VIGILANCE-VUL-16060, VU#967332.

Description of the vulnerability 

The glibc library provides two functions to obtain the IP address of a server from its DNS name:
  struct hostent *gethostbyname(const char *name);
  struct hostent *gethostbyname2(const char *name, int af);

For example:
  he = gethostbyname("www.example.com");

These functions also accept to directly process an IP address:
  he = gethostbyname("192.168.1.1");

However, a malformed IPv4 address, which is too long such as 192.168.111111.1 (more than 1024 byte long) triggers an overflow in the __nss_hostname_digits_dots() function.

An attacker can therefore for example send an email using a long IPv4 address, to force the messaging server to resolve this address, and to generate a buffer overflow in gethostbyname() of the glibc, in order to trigger a denial of service, and possibly to execute code.

Several programs using the gethostbyname() function are vulnerable (exim, php, pppd, procmail) with a similar attack vector. The following programs are apparently not vulnerable: apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql, nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd, pure-ftpd, rsyslog, samba, sendmail, squid, sysklogd, syslog-ng, tcp_wrappers, vsftpd, xinetd.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This vulnerability alert impacts software or systems such as Arkoon FAST360, GAiA, CheckPoint IP Appliance, Provider-1, SecurePlatform, CheckPoint Security Gateway, CheckPoint VSX-1, Cisco ASR, Cisco Catalyst, IOS XE Cisco, IOS XR Cisco, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco CUCM, XenServer, Clearswift Email Gateway, Debian, Unisphere EMC, VNX Operating Environment, VNX Series, Exim, BIG-IP Hardware, TMOS, HPE BSM, HP Operations, Performance Center, Junos Space, McAfee Email and Web Security, McAfee Email Gateway, McAfee MOVE AntiVirus, McAfee NSP, McAfee NTBA, McAfee NGFW, VirusScan, McAfee Web Gateway, openSUSE, Oracle Communications, Palo Alto Firewall PA***, PAN-OS, PHP, HDX, RealPresence Collaboration Server, RealPresence Distributed Media Application, RealPresence Resource Manager, Polycom VBP, RHEL, SIMATIC, Slackware, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu, Unix (platform) ~ not comprehensive, WordPress Core.

Our Vigil@nce team determined that the severity of this computer weakness alert is critical.

The trust level is of type confirmed by the editor, with an origin of internet server.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this computer vulnerability.

Solutions for this threat 

glibc: version 2.18.
The version 2.18 is fixed.

glibc: patch for gethostbyname, GHOST.
A patch is available in information sources.

Arkoon Fast360: versions 5.0/33 and 6.0/7.
Versions 5.0/33 and 6.0/7 are fixed:
  https://support-https.arkoon.net/fast360/fast360_migration.php

Check Point: solution for GHOST.
The solution is indicated in information sources.

Cisco: solution for GHOST.
The solution is indicated in information sources.

Citrix XenServer: patch for ghost.
A patch for some versions of XenServer 6 is available in information sources.

Clearswift SECURE Email Gateway: version 3.8.6.
The version 3.8.6 is fixed:
  http://app-patches.clearswift.net/Patches/Patch3_8_6en.htm

Clearswift SECURE Email Gateway: version 3.8.7.
The version 3.8.7 is fixed:
  http://app-patches.clearswift.net/Patches/Patch3_8_7en.htm

Debian: new eglibc packages.
New packages are available:
  Debian 7: eglibc 2.13-38+deb7u7

Dell EMC VNXe: version MR4 Service Pack 5.
The version MR4 Service Pack 5 is fixed:
  https://www.dell.com/support/

EMC Unisphere: solution for GHOST.
The solution is indicated in information sources.

EMC VNXe1 MR4: solution for GHOST.
The solution is indicated in information sources.

Exim: workaround for GHOST.
A workaround is to disable the analysis of HELO/EHLO commands.

F5: solution for GHOST.
The solution is indicated in information sources.

HP OAVA, vPV VA, OMi VA: solution for GHOST.
The solution is indicated in information sources.

HP Operations Analytics: solution for GHOST.
The solution is indicated in information sources.

Juniper: solution for GHOST.
The solution is indicated in information sources.

Mandriva: new glibc packages.
New packages are available:
  Mandriva BS1: glibc 2.14.1-12.11.mbs1

McAfee: solution for GHOST.
The solution is indicated in information sources.

Novell Sentinel: version 7.3.0.0.
The version 7.3.0.0 is fixed:
  https://download.novell.com/Download?buildid=WA2o2ZIiUMM~

openSUSE: new glibc packages.
New packages are available:
  openSUSE 11.4: glibc 2.11.3-12.62.1
  openSUSE 12.3: glibc 2.17-4.17.1

Oracle Communications: CPU of July 2015.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2024564.1
  https://support.oracle.com/rs?type=doc&id=2030705.1

Oracle Communications: CPU of July 2017.
A Critical Patch Update is available.

Oracle Communications: CPU of October 2016.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2188694.1

Oracle Communications: CPU of October 2017.
A Critical Patch Update is available.

Oracle Communications: CPU of Octobre 2018.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2451363.1
  https://support.oracle.com/rs?type=doc&id=2450339.1
  https://support.oracle.com/rs?type=doc&id=2450354.1
  https://support.oracle.com/rs?type=doc&id=2450340.1
  https://support.oracle.com/rs?type=doc&id=2452772.1
  https://support.oracle.com/rs?type=doc&id=2451007.1

PAN-OS: version 7.0.0.
The version 7.0.0 is fixed:
  https://www.paloaltonetworks.com/

PHP: workaround for GHOST.
A workaround is to filter gethostbyname() parameters which are longer than 255 bytes.

Polycom: fixed versions for GHOST.
Fixed versions are indicated in information sources.

Polycom: solution for GHOST.
The solution is indicated in information sources.

RHEL 6 RHEV Hypervisor: new rhev-hypervisor6 packages.
New packages are available:
  RHEL 6: rhev-hypervisor6 6.6-20150123.1.el6ev

RHEL: new glibc packages.
New packages are available:
  RHEL 4: glibc 2.3.4-2.57.el4.2
  RHEL 5: glibc 2.5-123.el5_11.1
  RHEL 6: glibc 2.12-1.149.el6_6.5
  RHEL 7: glibc 2.17-55.el7_0.5

SIMATIC: solution for GHOST.
The solution is indicated in information sources.

Slackware: new glibc packages.
New packages are available:
  Slackware 13.0: glibc 2.9-*-7_slack13.0
  Slackware 13.1: glibc 2.11.1-*-9_slack13.1
  Slackware 13.37: glibc 2.13-*-8_slack13.37
  Slackware 14.0: glibc 2.15-*-9_slack14.0
  Slackware 14.1: glibc 2.17-*-10_slack14.1

SUSE LE: new glibc packages.
New packages are available:
  SUSE LE 10: glibc 2.4-31.113.3
  SUSE LE 11 SP1: glibc 2.11.1-0.60.1
  SUSE LE 11 SP2: glibc 2.11.3-17.45.55.5
  SUSE LE 11 SP3: glibc 2.11.3-17.74.13

Synology DSM: patch for GHOST.
A patch is available:
  https://www.synology.com/

Ubuntu: new libc6 packages.
New packages are available:
  Ubuntu 12.04 LTS: libc6 2.15-0ubuntu10.10
  Ubuntu 10.04 LTS: libc6 2.11.1-0ubuntu7.20
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides cybersecurity analysis. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.