Dehaunting Linux, PHP & WordPress from the Ghost Bug

1. Dehaunting Linux, PHP & WordPress from the Ghost Bug www.webhosting.uk.com/blog/dehaunting-linux-php-wordpress-from-the-ghost-bug/ Though all our Linux systems were patched the moment we came to know about the Linux Ghost Bug or the GetHost vulnerability, we would like to help you with information on what this vulnerability is all about. Did you know, Linux users were literally haunted by a ‘GHOST’? Yes, that’s right ‘Haunted’ by ‘ GHOST’, the new security vulnerability found in January this year that hurts Linux as well as other systems that uses the open source glibc library. The name GHOST was tagged as it can be triggered by the GetHOST functions. After not even an year passed since the Heartbleed was discovered, researchers were able to identify another major security vulnerability in the form of GHOST. Though, not as severely bad to the data privacy as the Heartbleed and Shellshock bugs. Let’s first see What glibc is? Well GNU Clibrary or commonly known as glibc is an implementation of standard C library and a core part of the Linux operating system without which Linux can’t function. Then what’s the vulnerability? Qualys researchers discovered a buffer overflow in the _nss_hostname_digits_dots() function of glibc, during a code audit. This bug could be generated at local as well as remote levels through the gethostbyname*() functions. What’s the risk? Using the system with an unaddressed vulnerability, an attacker gets the capability of executing the code remotely. If the exploit get successfully through, the complete control of the system could be compromised. Why so, is it due a flaw with the design? Not really, the problem is in the implementation of the affected versions of the software. While testing, there was a proof generated for the Linux GHOST bug in which a specially created email was sent to a mail server and got a remote shell to the target Linux machine. This means all existing preventive measures (PIE, ASLR and NX) on both 32-bit as well as 64-bit systems were evaded by it. So, how can this be made strong, so that no one can execute it? One of the best solutions to this is applying a patch from your Linux vendor. This hole may be found in any Linux system that was built with glibc-2.2, released on 10th November 2000. According to Qualys, the bug was actually patched with a minor bug fix released on 21st May 2013 i.e. between the releases of glibc-2.17 and glibc-2.18. Since this patch wasn’t considered as a security problem, many stable and long-term-support distributions were wide open. Linux systems that are vulnerable to the attack are RHEL -5,6 and 7, Debian 7 (Wheezy), Ubuntu 12.04 and CentOS 6 and 7. It has been recently found by researchers that, PHP applications including the WordPress content management system would prove to be another weak point for the attackers as identified in the Common Vulnerabilities and Exposures database- CVE-2015-0235. In WordPress, a function called wp_http_validate_url() is used to validate the URLs of the pingback posts. This is done by using gethostbyname() due to which the attacker may force this vector to insert a malicious URL that would lead to buffer overflow bug, server-side, allowing to gain control on the server. 1/2

2. The damage from a possible attack is dependent on several factors comprising of configuration and deployment of your system. Your system would be prevented from the risk of the attack, if it is disconnected from the internet and no passwords or SSH keys are stored on any affected servers. To learn about all possible interconnections has become a challenge with complex IT systems, virtual servers and interconnection. Hence, it is essential to patch all and any server that is vulnerable. There are countless security hardware systems (NVRs, DVRs, appliances) functional on the Linux operating system. If your server provider has notified you with the GHOST vulnerability, you can ask them if the system is exposed and get guidance on fixing it. Suppose there is a software VMS on Linux used by you, examining the OS and patching it immediately is vital, if found infected. In other instance, if there is a proper cloud-based system then the vendor should have adopted some preventive measures for this vulnerability and there isn’t any action required from your side. To conclude, what one can do immediately is update your Linux system as early as possible. Having completed the patching, reboot your system. Usually, rebooting a Linux system is rarely done but gethostbyname is called on by so many core processes, such as dbus-daem, auditd, xinetd, init, dhclient, master, rsyslogd, mysqld, sshd, and udevd you need to ensure that all system programs are using the patched code. Remember GHOST isn’t a vulnerability like Shellshock, Heartbleed or POODLE which were zero-day issues. GHOST doesn’t infect all the Linux distributions. The challenge is to balance the needs of enterprise stability with constant flow of upstream updates. But let’s hope that the Linux vendors will increase their efforts twice to ensure users’ aren’t vulnerable to risk of bugs that are already patched. 2/2