Guest

Cisco Event Response: GNU glibc gethostbyname Function Buffer Overflow Vulnerability

Threat Summary
Last Updated: January 29, 2015

This information has been produced in reference to the recent GNU glibc gethostbyname Function Buffer Overflow Vulnerability, aka "GHOST" vulnerability that has been made public by Qualys and Alexander Peslyak of the Openwall Project.

 

Event Intelligence

The following Cisco content is associated with this Event Response Page:

Cisco Security Advisory: GNU glibc gethostbyname Function Buffer Overflow Vulnerability
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20150128-ghost

Cisco IntelliShield Alert: GNU glibc gethost Function Calls Buffer Overflow Vulnerability
http://tools.cisco.com/security/center/viewAlert.x?alertId=37181

Cisco Security Blog Post
http://blogs.cisco.com/talos/ghost-glibc


The following table identifies Cisco Security content that is associated with this Event Response Page:

Cisco Applied Mitigation Bulletin Cisco IntelliShield Alert
CVE ID
Search CVEs
Not Applicable Vulnerability Alert: GNU glibc gethost Function Calls Buffer Overflow Vulnerability

Vulnerability Characteristics

The GHOST (GNU glibc gethostbyname Function Buffer Overflow) vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2015-0235.

A buffer overflow was found in the GNU C library's (glibc) __nss_hostname_digits_dots() function, which in turn, is used by the gethostbyname(), gethostbyname2(), and other glibc function calls. The vulnerable code in the affected functions is designed to prevent DNS lookups for addresses that do not need to be resolved (i.e. they are already IPv4 or IPv6 addresses). These vulnerable functions are commonly used by networking applications.

Systems that contain glibc versions between 2.2 (included) and 2.17 (included) are considered as AFFECTED. First fixed release is 2.18. Applications that statically link to an affected version are also affected by this vulnerability.

The impact of this vulnerability varies based on hardware and software configurations. A remote, unauthenticated attacker who is able to provide a hostname to an application that is using an affected function may be able to exploit this vulnerability to obtain sensitive information from memory or perform remote code execution with the same privileges as the process or application being exploited.

Impact on Cisco Products

The Cisco Product Security Incident Response Team (PSIRT) is currently investigating which Cisco products are affected by this vulnerability. Cisco Security Advisory GNU glibc gethostbyname Function Buffer Overflow Vulnerability was published and includes information on vulnerable products and products confirmed not vulnerable. The advisory will be updated as additional information about other products becomes available. Cisco will release free software updates that address these vulnerabilities. Any updates specifically related to Cisco products will be communicated according to the Cisco Security Vulnerability Policy.

The Cisco Computer Security Incident Response Team (CSIRT) is investigating Cisco public-facing infrastructure that could be susceptible to this vulnerability to facilitate its remediation.