Threat Summary
Last Updated: January 29, 2015
This information has been produced in reference to the recent GNU glibc gethostbyname Function Buffer Overflow Vulnerability, aka "GHOST" vulnerability that has been made public by Qualys and Alexander Peslyak of the Openwall Project.
Event Intelligence
The following Cisco content is associated with this Event Response Page:
Cisco Security Advisory: GNU glibc gethostbyname Function Buffer Overflow Vulnerability
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost
Cisco Security Blog Post
http://blogs.cisco.com/talos/ghost-glibc
The following table identifies Cisco Security content that is associated with this Event Response Page:
| Cisco Applied Mitigation Bulletin | Cisco IntelliShield Alert | CVE ID |
|---|---|---|
| Not Applicable | Vulnerability Alert: GNU glibc gethost Function Calls Buffer Overflow Vulnerability | CVE-2015-0235 |
Vulnerability Characteristics
The GHOST (GNU glibc gethostbyname Function Buffer Overflow) vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2015-0235.
A buffer overflow was found in the GNU C library's (glibc) __nss_hostname_digits_dots() function, which in turn, is used by the gethostbyname(), gethostbyname2(), and other glibc function calls. The vulnerable code in the affected functions is designed to prevent DNS lookups for addresses that do not need to be resolved (i.e. they are already IPv4 or IPv6 addresses). These vulnerable functions are commonly used by networking applications.
Systems that contain glibc versions between 2.2 (included) and 2.17 (included) are considered as AFFECTED. First fixed release is 2.18. Applications that statically link to an affected version are also affected by this vulnerability.
The impact of this vulnerability varies based on hardware and software configurations. A remote, unauthenticated attacker who is able to provide a hostname to an application that is using an affected function may be able to exploit this vulnerability to obtain sensitive information from memory or perform remote code execution with the same privileges as the process or application being exploited.
Impact on Cisco Products
The Cisco Product Security Incident Response Team (PSIRT) is currently investigating which Cisco products are affected by this vulnerability. Cisco Security Advisory GNU glibc gethostbyname Function Buffer Overflow Vulnerability was published and includes information on vulnerable products and products confirmed not vulnerable. The advisory will be updated as additional information about other products becomes available. Cisco will release free software updates that address these vulnerabilities. Any updates specifically related to Cisco products will be communicated according to the Cisco Security Vulnerability Policy.
The Cisco Computer Security Incident Response Team (CSIRT) is investigating Cisco public-facing infrastructure that could be susceptible to this vulnerability to facilitate its remediation.
References
Original disclosure from Qualys
Follow-up post from Qualys about products investigated
Qualys' blog post on the GHOST vulnerability
Fix entry for the original bug on glibc's bug tracking system
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.