search menu icon-carat-right cmu-wordmark

CERT Coordination Center


GNU C Library (glibc) __nss_hostname_digits_dots() function vulnerable to buffer overflow

Vulnerability Note VU#967332

Original Release Date: 2015-01-28 | Last Revised: 2015-10-22

Overview

The __nss_hostname_digits_dots() function of the GNU C Library (glibc) allows a buffer overflow condition in which arbitrary code may be executed. This vulnerability has been assigned CVE-2015-0235, and is referred to in the media by the name "GHOST".

Description

According to Qualys, the vulnerability is "a buffer overflow in the __nss_hostname_digits_dots() function of the GNU C Library (glibc). This bug is reachable both locally and remotely via the gethostbyname*() functions" and furthermore, "arbitrary code execution can be achieved" by use of the buffer overflow.

All versions of glibc from glibc-2.2 (released 2010-11-10) until glibc-2.17 are vulnerable. The vulnerability was patched on 2013-05-21, prior to the release of glibc-2.18.

For more details, please see the full Qualys Security Advisory.

Impact

The __nss_hostname_digits_dots() function allows a buffer overflow condition in which arbitrary code may be executed. The impact may vary depending on if the use case is local or remote.

Solution

Apply an update

Affected users may apply a patch or update to glibc-2.18 or later. The Vendor Status information below provides more information on updates.

Vendor Information

Some older, no longer supported versions of linux distributions may contain an older version of glibc that is vulnerable. Please check with your vendor to find out if you need to upgrade to a newer operating system in order to address this issue.

967332
Expand all

Arch Linux

Notified:  January 28, 2015 Updated:  January 30, 2015

Statement Date:   January 28, 2015

Status

  Affected

Vendor Statement

"Arch Linux is not vulnerable. [Arch Linux is] on a modern version of glibc so [Arch Linux] should have been safe for 18+ months."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

If using an edition of Arch Linux older than about 18 months, you may wish to check with the vendor to find out if you need to upgrade.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Blue Coat Systems

Updated:  January 30, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://bto.bluecoat.com/security-advisory/sa90

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cisco Systems, Inc.

Updated:  January 30, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Citrix

Updated:  January 30, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://support.citrix.com/article/CTX200391

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian GNU/Linux

Notified:  January 28, 2015 Updated:  January 28, 2015

Statement Date:   January 28, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://security-tracker.debian.org/tracker/CVE-2015-0235

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

F5 Networks, Inc.

Updated:  January 30, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://support.f5.com/kb/en-us/solutions/public/16000/000/sol16057.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux

Notified:  January 28, 2015 Updated:  January 30, 2015

Statement Date:   January 29, 2015

Status

  Affected

Vendor Statement

"Our most recent glibc packages are not affected; we'll be issuing an

advisory anyway to inform users who may still have older versions installed."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Juniper Networks, Inc.

Updated:  January 30, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://kb.juniper.net/InfoCenter/index?page=content&id=JSA10671&cat=SIRT_1&actp=

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NEC Corporation

Updated:  October 22, 2015

Status

  Affected

Vendor Statement

"We provide information on this issue at the following URL: <http://jpn.nec.com/security-info/secinfo/nv15-007.html> (only in Japanese)."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://jpn.nec.com/security-info/secinfo/nv15-007.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

NetApp

Updated:  January 30, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://kb.netapp.com/support/index?page=content&id=9010027

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Openwall GNU/*/Linux

Notified:  January 28, 2015 Updated:  January 30, 2015

Statement Date:   January 29, 2015

Status

  Affected

Vendor Statement

"Openwall GNU/*/Linux (Owl) was affected, although there's no known
attack vector that would expose the glibc bug as a vulnerability in an
install of Owl with no third-party software.  We have released glibc
updates for Owl 3.1-stable and Owl-current on 2015/01/28.
"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc.

Notified:  January 28, 2015 Updated:  January 30, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://access.redhat.com/security/cve/CVE-2015-0235 https://rhn.redhat.com/errata/RHSA-2015-0099.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

SUSE Linux

Notified:  January 28, 2015 Updated:  January 28, 2015

Statement Date:   January 28, 2015

Status

  Affected

Vendor Statement

"SUSE Linux Enterprise 11 and older are affected by the problem. We released
updates
for all supported and affected codestreams.

SUSE Linux Enterprise 12 is not affected by this problem.
"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://support.novell.com/security/cve/CVE-2015-0235.html http://lists.suse.com/pipermail/sle-security-updates/2015-January/001186.html

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Slackware Linux Inc.

Notified:  January 28, 2015 Updated:  January 28, 2015

Statement Date:   January 28, 2015

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.slackware.com/security/list.php?l=slackware-security&y=2015

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Ubuntu

Notified:  January 28, 2015 Updated:  January 28, 2015

Statement Date:   January 28, 2015

Status

  Affected

Vendor Statement

"Ubuntu 10.04 LTS (lucid) and Ubuntu 12.04 LTS (precise) were
affected; Ubuntu 14.04 LTS and newer releases were not, as they
included versions of the GNU C Library that already contained the
upstream fix.
"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://www.ubuntu.com/usn/usn-2485-1/ https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GHOST

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

openSUSE project

Notified:  January 28, 2015 Updated:  January 30, 2015

Statement Date:   January 28, 2015

Status

  Affected

Vendor Statement

"openSUSE 13.1 and 13.2 are not affected by the problem."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

http://support.novell.com/security/cve/CVE-2015-0235.html http://lists.suse.com/pipermail/sle-security-updates/2015-January/001186.html

Addendum

Older versions of openSUSE may be affected. Check with the vendor to see if you require an upgrade.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Contiki OS

Notified:  January 28, 2015 Updated:  January 28, 2015

Statement Date:   January 28, 2015

Status

  Not Affected

Vendor Statement

"Contiki OS does not use the GNU libc resolver functions so is not affected
by this.
"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CentOS

Notified:  January 28, 2015 Updated:  January 28, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Cray Inc.

Notified:  January 28, 2015 Updated:  January 28, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Fedora Project

Notified:  January 28, 2015 Updated:  January 28, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Hewlett-Packard Company

Notified:  January 28, 2015 Updated:  January 28, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM Corporation (zseries)

Notified:  January 28, 2015 Updated:  January 28, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

IBM eServer

Notified:  January 28, 2015 Updated:  January 28, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Mandriva S. A.

Notified:  January 28, 2015 Updated:  January 28, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Oracle Corporation

Notified:  January 28, 2015 Updated:  January 28, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Turbolinux

Notified:  January 28, 2015 Updated:  January 28, 2015

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Addendum

There are no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 7.8 E:POC/RL:OF/RC:C
Environmental 5.9 CDP:ND/TD:M/CR:ND/IR:ND/AR:ND

References

Credit

Credit to Qualys for discovering the vulnerability.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-0235
Date Public: 2015-01-28
Date First Published: 2015-01-28
Date Last Updated: 2015-10-22 13:00 UTC
Document Revision: 24

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.