The ghosts of bugs past
Recently the team at Qualys uncovered an exploitable Library in (glibc) by using a buffer overflow (CVE-2015-0235). There are some limitations on the vulnerability in that only a limited number of characters can be written back to the calling function, but they did successfully create and execute an exploit against an Exim mail server.
The 'bug' was discovered back in 2013 and was distributed as a bug fix, not a security flaw, so it is likely that stable versions did not apply the patch.
Now that a 'proof of concept' has been achieved showing this as a security threat it is important that affected server admins take the necessary steps to update their systems if the original patch was not applied.
A list of affected Linux distros include:
RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x
CentOS Linux version 5.x, 6.x & 7.x
Ubuntu Linux version 10.04, 12.04 LTS
Debian Linux version 7.x
Linux Mint version 13.0
Fedora Linux version 19 or older
SUSE Linux Enterprise 11 and older (also OpenSuse Linux 11 or older versions).
SUSE Linux Enterprise Software Development Kit 11 SP3
SUSE Linux Enterprise Server 11 SP3 for VMware
SUSE Linux Enterprise Server 11 SP3
SUSE Linux Enterprise Server 11 SP2 LTSS
SUSE Linux Enterprise Server 11 SP1 LTSS
SUSE Linux Enterprise Server 10 SP4 LTSS
SUSE Linux Enterprise Desktop 11 SP3
Arch Linux glibc version <= 2.18-1
It is interesting how, when CVEs like this are published, many servers remain vulnerable to the published exploit. Most of the compromised server attacks we hear about use exploits like this. I'm referring to actual security threat notices and not bug fixes. Although, this may be a lesson in updating your server files even though it may not be an evident security fix.
A noteworthy aspect of this type of exploit is that software patch records can act as a roadmap to hackers and give them insight as to the exploit needed to compromise a server. A squashed bug in the software patch log can be raised from the dead by an insightful hacker scanning the server to see if it was patched.
While most exploits use discovered vulnerabilities not previously known we cannot neglect the fact that if a patch is released for a known performance issue we should apply it, just as if the patch is designated as a security threat fix. If we don't, then those 'ghosts' may come back to haunt us.
Kudos to the Qualys team for finding this.
by Jim Atkins 'thedosmann'