CVE-2015-0235 aka "GHOST" glibc gethostbyname buffer overflow vulnerability

Version 4

    LANDESK is aware of the vulnerability inside of glibc and we are currently finishing the process of reviewing its impact. We will update this document with further information as we have it.  We appreciate your patience.

     

    As updates are available, including any additional information about how this vulnerability affects LANDESK products and progress for any updates or patches, it will be added to this document.

     

    Latest Updates

     

    Resolution of Known Issue -


    January 27, 2015 (4:00PM MDT)

     

    LANDESK is currently reviewing the impact of glibc within its suite of products.  We will continue to update this document with the latest information.


    February 6, 2015 (2:00PM MDT)


    We are currently undergoing testing for a patch for our 4.3 Cloud Services Appliance.  Once it is ready for release, we will update this document.


    February 10, 2015 (5:50AM MDT)


    We have now released GSB 167 for the 4.3 Cloud Services Appliance.  To find out more regarding this patch, please see LANDESK Patch News Bulletin: LANDESK has Provided an Update for CSA 4.3 - (Patch 167) to Address CVE-2015-0235 (GHOST) and CVE-2014-3566 (POODLE) 10-FEB-2015

     

    What is this vulnerability?

     

    As Per Qualys "During a code audit performed internally at Qualys, we discovered abuffer overflow in the __nss_hostname_digits_dots() function of the GNUC Library (glibc). This bug is reachable both locally and remotely via the gethostbyname*() functions, so we decided to analyze it -- and its impact -- thoroughly, and named this vulnerability "GHOST".

    "Our main conclusions are:

     

    - Via gethostbyname() or gethostbyname2(), the overflowed buffer is located in the heap. Via gethostbyname_r() or gethostbyname2_r(), the overflowed buffer is caller-supplied (and may therefore be located in the heap, stack, .data, .bss, etc; however, we have seen no such call in practice).

     

    - At most sizeof(char *) bytes can be overwritten (ie, 4 bytes on 32-bit machines, and 8 bytes on 64-bit machines). Bytes can be overwritten only with digits ('0'...'9'), dots ('.'), and a terminating null character ('\0').

     

    - Despite these limitations, arbitrary code execution can be achieved. As a proof of concept, we developed a full-fledged remote exploit against the Exim mail server, bypassing all existing protections (ASLR, PIE, and NX) on both 32-bit and 64-bit machines. We will publish our exploit as a Metasploit module in the near future.

     

    - The first vulnerable version of the GNU C Library is glibc-2.2, released on November 10, 2000.

     

    - We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example."

     

    For more information please see oss-security - Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow.

     

    How does this affect LANDESK?

    Affected Product(s)

     

    LANDESK Cloud Services Appliance 4.2 and later

     

     

    Non-Affected Product(s)

     

    LANDESK Management Suite 9.0 and later

    LANDESK Asset Lifecycle Manager

    LANDESK Service Desk, including Service Desk as a Service (SDaas)

    Mobility products including Wavelink, Avalanche on Demand, and LANDESK Mobility Management

    Shavlik Products

    Other LANDESK Cloud Services

     

    Solution

     

    We have now released GSB 167 for the 4.3 Cloud Services Appliance.  To find out more regarding this patch, please see LANDESK Patch News Bulletin: LANDESK has Provided an Update for CSA 4.3 - (Patch 167) to Address CVE-2015-0235 (GHOST) and CVE-2014-3566 (POODLE) 10-FEB-2015


     

    - LANDESK Support