B2&B3 and GHOST vulnerability?

[gif]

Hi guys,
Seems that B2/B3 are subject to GHOST vulnerability
(http://ma.ttias.be/ghost-critical-glibc ... ame-calls/)

I tried apt-get update&upgrade but there was no updates to glibc. Do we get security fixes any longer? Or is it just that squeeze is not updated anymore?

Code: Select all

Package: libc6
State: installed
Automatically installed: no
Version: 2.11.3-4
Priority: required
Section: libs
Maintainer: GNU Libc Maintainers <debian-glibc@lists.debian.org>
Uncompressed Size: 9994 k
Depends: libc-bin (= 2.11.3-4), libgcc1
Suggests: glibc-doc, debconf | debconf-2.0, locales
Conflicts: prelink (<= 0.0.20090311-1), tzdata (< 2007k-1), tzdata-etch
Breaks: locales (< 2.11), locales-all (< 2.11), nscd (< 2.11)
Provides: glibc-2.11-1
Description: Embedded GNU C Library: Shared libraries
 Contains the standard libraries that are used by nearly all programs on the system. This package includes shared versions of the standard C
 library and the standard math library, as well as many others.
Homepage: http://www.eglibc.org

[Gordon]

Squeeze has been unsupported for some time now, so no you will not be getting any updates for it.

But please do not panic. Exploits will only work for those services that you publish to untrustworthy persons, i.e. the internet, and this vulnerability does not even concern a service but a function that needs to be called by someone already having some means of control over your B3. In fact, most of the security patches you get for various systems are probably only useful for less than 1% of its users. Unless you switched off your firewall, it is very unlikely that you are one of them.

[sakaki]

I'll leave it to others who know (way!) more about it than me to comment on upgrading / patching a Debian (standard Excito B2/B3) system against this issue. What follows is just a short status note for those using any of the Live USBs (Gentoo or Arch).

In summary then, the GHOST vulnerability status of the various versions of the Live USBs is as follows (per these threads, glibc < 2.18 are affected):

• Gentoo for B3 (current release, 1.2.0): glibc-2.19; not affected by GHOST
• Gentoo for B3 (old release 1.1.0): glibc-2.19; not affected by GHOST
• Gentoo for B3 (old release 1.0.0): glibc-2.17; affected by GHOST (upgrade recommended)
• Gentoo for B2 (current release, 1.0.0): glibc-2.19; not affected by GHOST
• Arch for B3 (current release, 1.0.0): glibc-2.18; not affected by GHOST

As such, you only need take action if you are using the oldest (1.0.0) B3 Gentoo Live USB (and then, only really if you have copied it to your hard drive, are using your B3 as an Internet-facing server, and have not recently updated your system, as described below).

In such a case, simply update your Gentoo system to fix the issue (glibc 2.19 is stable in all Gentoo arches now). Per the instructions on the GitHub page, issue:

Code: Select all

b3 ~ # eix-sync
   (this will take some time to complete, and is similar in effect to apt-get update)

followed by

Code: Select all

b3 ~ # emerge --ask --verbose --deep --with-bdeps=y --newuse --update @world
   (enter 'y' and press <Enter> if prompted; similar in effect to apt-get upgrade)

best

sakaki

[gif]

OK, thanks for info Gordon.
So we're on our own (stock Bubba users, that is). I'm not panicking (for now ) but I've been trying to be a bit more cautious since the script-kiddie takeover on the php exploit a year ago, and our company IT department made quite a fuzz about this one (surely they run multitude of potentially exploitable services to the outside, I run only couple).

[Ubi]

you're not running your company on a B3 are you?

this exploit is only useful (at this moment) as a local privilege escalation. You need to write local code for this to work, or you must find current code which has this function exposed to the outside world. Afaik this is not the case for the B23. So unless you are hosting websites to people you do not know my personal feeling is that the thread is not large (please correct if I'm wrong). Probably smaller than the shellshock bug for which very few people have downloaded and implemented the fix (the problem is still there, its just not in the news anymore). So if you havent fixed shellshock and you're worried on this ghost vulnerability , you may be sensitive to hype

[gif]

you're not running your company on a B3 are you?

Thankfully I'm not even running any company, just my personal B2+3 And most likely I am just subject to hype created by the IT guys in the company I work in (and ofc it is their job to be quite sensitive about any hype around security).

So, thanks for the input and thoughts about the effect of this vulnerability, the IT guys deem to emphasize just the hazard, but like I said, it is their job.

BTW, I did indeed install shellshock patch too "just in case" and because it was available

[Ubi]

He's right to be worried about this because his risk is much higher than yours, and he is paid specifically to address issues like this. For personal use the cost-benefit ratio is rather different. It also depends on how your B3 is exposed to the network. If its behind a NAT then the risk is much less than if it is directly connected etc etc.

Still there is a chance someone finds out that software running on the B3 can be exploited to trigger this ghost vulnerability so its still good to see if a patch can be created, but atm there just isnt the manpower.

[sakaki]

Qualys claim to have been able to open a remote shell via a specially-crafted email sent to a vulnerable machine running the Exim mail server (which presumably doesn't do any prior sanity checking on the address headers before trying to look them up!!).

Wordpress is apparently also vulnerable, unless the pingback xmlrpc method has been disabled. A nice target surface of up to 25% of websites then... ><

However, most of the apps on the B3 seem to be unaffected; per this list, the following apps are fine, even with a glibc <2.18:

Code: Select all

apache, cups, dovecot, gnupg, isc-dhcp, lighttpd, mariadb/mysql,
nfs-utils, nginx, nodejs, openldap, openssh, postfix, proftpd,
pure-ftpd, rsyslog, samba, sendmail, sysklogd, syslog-ng, tcp_wrappers,
vsftpd, xinetd.

Lastly, to do more than simply crash a server process with GHOST, you need to inject shell code, which is much more likely to be x86 than ARMv5 in most exploits in the wild targeted at servers. So all things considered this is probably a low risk for B3 users.

[Ubi]

Again this xmlrpc. This thing has almost no practical use but keeps being an attack vector over and over again.

For the record: Exim is not runnin by default on the b3

[Gordon]

If you'd call it SOAP - which is its successors name - I think people might disagree with the no practical use statement. The thing here of course is what the methods you publish provide and apparently there is something wrong with some method called 'pingback'. I'm guessing this is not icmp ping but some kind of echo function that allows executing arbitrary code.

I'd like to point out on this subject that hackers rarely use domain names. In fact: since I've started monitoring attempts on the php cgi exploit I've only seen these running on my raw IP address. As a consequence I was never really vulnerable to the exploit since I'm running vhosts and the default host (which serves the raw IP address, its int-64 equivalent, and also the dashed-ip.adsl.provider.com address) has cgi support disabled. It's not exactly hide by obscurity, because running a domain is in fact in plain view, but it does work as such for hackers.

[Ubi]

i was a bit quick in saying it has no use. It does, but only very few wordpress sites actually do use it. So IMHO this feature should be off by default.

and indeed, hosting your worpress not on the default host helps a lot ( although my logs are filled with hostname-specific wordpress attacks as well, so its not magic). However, considering DNS problems we see for many users, I would advise against running the B3 web interface on a non-default vhost