The researchers at Qualys found a widespread bug in the Linux GNU C Library called glibc that affects a wide cross-section of exposed systems on the Internet. The vulnerability allows malicious players to remotely commandeer a system using a technique known as heap buffer overflow. You may remember Qualys from their popular webapp vulnerability reports such as one of the Drupal SQL vulnerabilities they discussed back in October 2014. Qualys provides sound research in this space so this vulnerability should be taken seriously.
The exploit is performed by leveraging a malformed DNS (domain name system) argument to a remote application that performs a DNS lookup, specifically to trigger gethostbyname() which calls __nss_hostname_digits_dots(). The hacker can then initiate the execution of shell code to remotely take over the system, likely elevating them to the root user. Despite the seemingly severe nature of this security hole, the problem was not classified as a high severity security risk, and thus many distributions have not patched the problem. This will undoubtedly result in a large number of compromised machines which will naturally be used for the execution of DDoS attacks and other associated malicious tasks. How severe will the problem be? Are we looking down the barrel of another era of NTP floods?
Complexity of Vulnerability
Before we can discuss the potential DDoS risks, we need to assess how serious the actual problem is. Any system connected to the Internet will trigger gethostbyname() for DNS lookups. Qualys released this memo regarding the problem:
“GHOST poses a remote code execution risk that makes it incredibly easy for an attacker to exploit a machine. For example, an attacker could send a simple email on a Linux-based system and automatically get complete access to that machine,” said Wolfgang Kandek, Qualys’s CTO in a statement. “Given the sheer number of systems based on glibc, we believe this is a high severity vulnerability and should be addressed immediately. The best course of action to mitigate the risk is to apply a patch from your Linux vendor.”
Kandek is clearly not inciting fear and mass panic but he is very clear. This is a severe problem and it should be patched right away. It’s simple to remotely compromise a machine and there’s a large number of glibc-based systems in the wild that are likely vulnerable. As an exercise, I took the published Qualys and Openwall ghost tester and broke it apart to see elaborate on the simplicity of the exploit.
Scope of Problem
This is a pretty widespread problem. The use of gethostbyname_r() is ubiquitous, as it should be. It’s a standard library that nearly everyone uses for DNS resolution. It’s so common to use it that PHP and WordPress can be vulnerable, as highlighted by an advisory report here. When WordPress goes to validate a URL in a pingback, it may end up using __nss_hostname_digits_dots() and thus result in a potential exploit. Luckily, many people have an intrusion detection and protection system (IDPS) in place which theoretically should force compliance with RFC 2181, thus blocking DNS requests over 255 bytes. This makes the exploit more challenging. Other vulnerable applications include ftpd, sshd, bind, and bash: all common tools used on a regular basis by many people.
The problem is amplified by the proliferation and mass adoption of Linux, especially as a lightweight embedded operating system. In an article I wrote about the Internet of Things, I highlighted that a widespread vulnerability in an embedded system software would be catastrophic. Updating those systems would be challenging or impossible. The DDoS power that would result from it would be enormous, complex, and nearly impossible to track down. If this vulnerability actively impacts even 500,000 machines (a conservative estimate), we’ll see a huge uptick in large-scale DDoS attacks over the next 12 months exceeding 200 Gbps and 100 million packets per second. These are the catastrophic attacks that are often showcased in the global media. These attacks won’t be amplified, so their vectors can easily change to bypass common firewalls blocking simple attacks like NTP or DNS amplification.
GHOST is a stark reminder that as the Internet proliferates across the world, software engineers need to aspire to a higher standard of development. Shortcuts, insufficient regression and vulnerability testing, and varying coding standards will cause disruptions and actual lost dollars for the myriad of companies that depend on these programs. It’s also a reminder that no matter how good Linux and its GNU base are, no matter how much global effort goes towards producing amazing software, vulnerabilities will happen. Companies need to be prepared for these with proactive information security policies and procedures.