If you’re following threat feeds, you’ve probably heard about GHOST (CVE 2015-0235), the new critical vulnerability that Qualys disclosed yesterday. This vulnerability has been found in glibc, the GNU C library, and it affects all Linux systems dating back to 2000. Redhat listed it on their CVE database as ‘critical’ with a CVSS v2 score of 6.8.
GHOST is a serious vulnerability and Tripwire’s VERT team of security researchers evaluated the vulnerability yesterday and issued a VERT Alert. We’re providing coverage for GHOST in today’s ASPL update. If you need immediate help finding GHOST on your network today, you can find some free detection rules for VNE’s here.
Given the media hype around high-profile vulnerabilities of late, it might make sense to take a step back and evaluate GHOST independent of the marketing around it. We spoke with Craig Young, one of our security researchers and VERT member, about how Ghost stacks up against other vulnerabilities currently being exploited in the wild.
Young immediately said, “Ghost is no Shellshock,” and here’s why:
Shellshock allows for a one-size-fits-all payload since it is a command injection rather than a memory corruption bug.
- Remote code execution using GHOST requires someone with knowledge (potentially advanced knowledge) of the specific use of the vulnerable function, security mechanisms in-place on the target, such as NX/ASLR/PIE/etc.
- Each target will require a custom payload based on the location of the memory overflow, as well as various other factors. which vary between OS distributions and application compilation and linking (i.e. Memory addresses and/or offsets are needed). This means their exim exploit, which targets a fairly old OS, would likely not translate directly to a similarly vulnerable exim on Red Hat due to potential differences in compile time options and other factors.
Shellshock was 0-day, whereas GHOST had a patch available in May 2013 and a tested stable release in August 2013.
- Older systems are vulnerable and even long-term support releases did not all pick up this change because it was not initially recognized as a security impact.
In simpler terms, while both vulnerabilities are in code that’s very common on many *nix platforms, GHOST requires significantly more specific knowledge of a target to exploit and a patch has been available for more than a year.
GHOST still gets a 6.8 CVSS score, which translates to a medium severity vulnerability based on NVD’s scale;it’s definitely worth patching. By contrast, CVE-2015-0311, an Adobe Flash vulnerability, has a CVSS score of 10 and has been actively exploited in the wild. When prioritizing your efforts with scarce resources, these are important factors to consider.
Here’s the difference in the scores, illustrated by NVD:
Any information security professional will tell you that if you have both vulnerabilities, the Flash vulnerability should be a higher priority even it hasn’t been featured in the news and doesn’t have a logo.
The most relevant take-away from all the hype around GHOST may be a reminder to everyone that the best security practice is to focus first on the vulnerabilities that present the greatest risk to your organization.