Software security researchers recently identified a bug that provides hackers with an open door to the bulk of the world’s servers running Linux.
The vulnerability in the Linux GNU C Library (shorthand: glibc) “allows attackers to remotely take control of an entire system without having any prior knowledge of system credentials,” according to a statement released Tuesday morning by Qualys, a Redwood Shores, California-based security firm.
“Most Linux servers will have the vulnerable glibs version in which the issue was identified,” Qualys Director of Engineering Amol Sarwate said in an email.
Getting complete access to a vulnerable machine can be as simple as sending an email to that machine.
Linux plays a huge role in Internet infrastructure. More than one-third of websites run on servers using various Linux distributions, according to W3Techs, which specializes in collecting data about technologies used for building and running websites. Another third runs on Windows, and the rest run on non-Linux variants of Unix.
The newly discovered Linux vulnerability, known as GHOST, has been there for more than a decade. The first vulnerable version of the Linux GNU C Library, glibc-2.2, was released in November 2000, Sarwate said.
glibc is a standard C library for basic Linux facilities. According to the GNU project website, it is used in GNU systems and most systems with the Linux kernel.
Qualys identified GHOST earlier, but did not disclose it until Tuesday because it needed to give Linux distribution vendors enough time to update their respective software packages with a patch.
“It was discovered by Qualsys, and they used responsible disclosure to alert the security teams of various Linux distributions prior to making a public announcement,” Dustin Kirkland, Ubuntu cloud solutions product manager at Canonical, said Tuesday. “Canonical had sufficient time to prepare and test updated packages for Ubuntu prior to this morning.”
Ubuntu is one of the most popular Linux distros, second to Debian in market share. GHOST affected Ubuntu 10.04 LTS and 12.04 LTS releases, Kirkland said. Ubuntu 14.04 and newer releases were not affected.
While, according to Sarwate, most Linux servers were affected, “the actual threat depends on what services are running on a given system,” Josh Bressers, lead of the product security team at Red Hat, another major Linux distro provider, said. Still, the company recommends that all users upgrade vulnerable glibc versions.
Several factors, including a fix that was released in May 2013, mitigate the bug’s impact. The fix, however, was not classified as a security advisory, which means most stable distributions with longest-term support were left exposed, Qualys reps explained.
- Debian 7 (wheezy)
- Red Hat Enterprise Linux 6 and 7
- CentOS 6 and 7
- Ubuntu 12.04
Now that the Linux vulnerability has been recognized, the best course of action for all users is to consult with their Linux vendors to identify current glibc versions and apply updates if needed and available, Bressels said.
Corrected: A previous version of this article erroneously stated that the first vulnerable version of the Linux GNU C Library, glibc-2.2, was released in November 2010. It was actually released in November 2000. Data Center Knowledge regrets the error.