Posted by Synopsys Editorial Team on February 26, 2015
In early February, the software security industry saw a ghost. A previously overlooked flaw in Linux’s GNU C Library (glibc) was uncovered as a critical vulnerability that can be triggered by the “GetHOST” function (hence, the name “Ghost”).
While this Ghost vulnerability is no otherworldly apparition, it still strikes fear in the hearts of organizations that use Linux systems. Attackers can leverage Ghost (reported in the National Vulnerability Database as CVE-2015-0235) to obtain complete control of a system via a Remote Code Execution (RCE) exploit without having access to authentication credentials.
While Ghost is not simple to exploit, hackers think in the long term. In the hands of a sophisticated attacker with the skills to build a targeted attack, the vulnerability offers many opportunities for exploitation. Once they obtain control, attackers can execute denial of service (DoS) attacks to disrupt operations or insert malware that can mask identities, siphon funds or otherwise wreak havoc.
Fortunately, there are patches available for all affected versions of Linux. (Check out Debian, Red Hat, and Ubuntu.) Patch as soon as possible and make sure you don’t forget appliances and devices that don’t regularly get patched in your response.
The growing use of open source code in application development means that vulnerabilities such as this one will become even more frequent. The next ones may be easier for hackers to exploit. Make sure your application security strategy includes testing open source code, as well as code obtained from code libraries, and third-party developers.
Even though it only recently gained widespread attention, this bug is 15 years old. The fact that Ghost most often appears in older software underscores the need to test your entire application portfolio, not just the newer, prominent applications viewed as “high risk.”
Synopsys is doing everything possible to make it easier and more cost effective for organizations to step up their testing cadence, with full coverage of their applications. Subscription services empower you to test the breadth of your application portfolio at any depth so that vulnerabilities like Ghost are not left unaddressed.