Cisco Event Response: GNU glibc gethostbyname Function Buffer Overflow Vulnerability

SIO globe artThreat Summary


Last Updated: January 29, 2015

This information has been produced in reference to the recent GNU glibc gethostbyname Function Buffer Overflow Vulnerability, aka "GHOST" vulnerability that has been made public by Qualys and Alexander Peslyak of the Openwall Project.

Event Intelligence

The following Cisco content is associated with this Event Response Page:

Cisco Security Advisory: GNU glibc gethostbyname Function Buffer Overflow Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost

Cisco Security Blog Post
http://blogs.cisco.com/talos/ghost-glibc

The following table identifies Cisco Security content that is associated with this Event Response Page:

Cisco Applied Mitigation Bulletin Cisco IntelliShield Alert CVE ID
Not Applicable Vulnerability Alert: GNU glibc gethost Function Calls Buffer Overflow Vulnerability CVE-2015-0235

Vulnerability Characteristics

The GHOST (GNU glibc gethostbyname Function Buffer Overflow) vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2015-0235.

A buffer overflow was found in the GNU C library's (glibc) __nss_hostname_digits_dots() function, which in turn, is used by the gethostbyname(), gethostbyname2(), and other glibc function calls. The vulnerable code in the affected functions is designed to prevent DNS lookups for addresses that do not need to be resolved (i.e. they are already IPv4 or IPv6 addresses). These vulnerable functions are commonly used by networking applications.

Systems that contain glibc versions between 2.2 (included) and 2.17 (included) are considered as AFFECTED. First fixed release is 2.18. Applications that statically link to an affected version are also affected by this vulnerability.

The impact of this vulnerability varies based on hardware and software configurations. A remote, unauthenticated attacker who is able to provide a hostname to an application that is using an affected function may be able to exploit this vulnerability to obtain sensitive information from memory or perform remote code execution with the same privileges as the process or application being exploited.

Impact on Cisco Products

The Cisco Product Security Incident Response Team (PSIRT) is currently investigating which Cisco products are affected by this vulnerability. Cisco Security Advisory GNU glibc gethostbyname Function Buffer Overflow Vulnerability was published and includes information on vulnerable products and products confirmed not vulnerable. The advisory will be updated as additional information about other products becomes available. Cisco will release free software updates that address these vulnerabilities. Any updates specifically related to Cisco products will be communicated according to the Cisco Security Vulnerability Policy.

The Cisco Computer Security Incident Response Team (CSIRT) is investigating Cisco public-facing infrastructure that could be susceptible to this vulnerability to facilitate its remediation.

References

Original disclosure from Qualys

Follow-up post from Qualys about products investigated

RedHat's database entry

Qualys' blog post on the GHOST vulnerability

Fix entry for the original bug on glibc's bug tracking system

 


This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.

This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.


Back to Top