?
Solved

Can an external source call gethost (Ghost) function & any port that gethost apps usually listen on?

Posted on 2015-02-02
7
Medium Priority
?
113 Views
Last Modified: 2015-02-21
A governance authority posed a question:
"are external sources able to make calls to GetHost services/functions to Linux servers in our infra ie passing
 thru firewall/IPS" ?

Does the question above make sense or it was mixed up with the case below:
http://security.stackexchange.com/questions/80498/can-an-executable-be-scanned-for-calls-to-the-vulnerable-glibc-ghost-functions

If it makes sense, does it go thru Tcp80, Tcp443 ?  Then will need IPS to detect & block it?

Any common services (python?) that uses GetHostbyName & on what Tcp ports they are listening on usually?
(if this makes sense)
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 

Author Comment

by:sunhux
ID: 40583678
I guess it's not relevant at all to block specific Tcp ports on firewall, isn't it?

Further question:
Can we "secure" or harden binaries tt I found to contain gethostbyname or
gethostbyname2 as interim mitigation as the link below indicates it's only those
2 functions:
http://security.stackexchange.com/questions/80498/can-an-executable-be-scanned-for-calls-to-the-vulnerable-glibc-ghost-functions
0
 
LVL 62

Accepted Solution

by:
gheist earned 1500 total points
ID: 40584992
How is that different from patching glibc and rebooting? by means of downtime and time spent?

Do you want us to provide professional answer to question on other sites?
What is the essence of your question?

Use of gethostbyname* does not co-relate with particular port being listened to.
0
 

Author Comment

by:sunhux
ID: 40594159
Essence of the question is:
"are external sources able to make calls to GetHost services/functions to Linux servers in our infra ie remotely exploit this vulnerability ?

I've got a few answers from Trendmicro, F5 & Bluecat : it's only possible to
remotely exploit this vulnerability if we have EXIM mail service running.
Otherwise, one has to login to the Linux servers to be able to exploit it
0
The Orion Papers

Are you interested in becoming an AWS Certified Solutions Architect?

Discover a new interactive way of training for the exam.

 

Author Comment

by:sunhux
ID: 40594171
I suppose in today's attacks, the attacks usually comes thru Tcp 80, Tcp443
& we can't block these 2 ports as they are needed.

Besides patching/updating glibc, is there any other workarounds to
mitigate this that you are aware of?
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 1500 total points
ID: 40594278
How vulnerability in exim could eventually be discovered by Qualys auditing security of Oracle database?

Only mitigation is patch and restart all services. How many weeks more you keep your infrastructure at risk to diog ot? Or you are waiting for massive compromise of your systems to spot a problem?
0
 

Author Comment

by:sunhux
ID: 40596519
It's change freeze period for next 1.5 months, so I'm exploring a no-downtime
workaround.  Consider that only EXIM can be subject to remote exploitation,
this gives me a bit of time.

If there are dependencies issues (as I can't do 'yum update glibc' as our
servers are blocked from accessing Internet), can I just do
"rpm --nodeps -Uvh ./folder_holding_updated_rpms/*.rpm"  ?
0
 
LVL 62

Expert Comment

by:gheist
ID: 40596555
Yes- all processes keep glibc open....

Your process of not installing security patches is flawed.
0

Featured Post

On Demand Webinar: Networking for the Cloud Era

Ready to improve network connectivity? Watch this webinar to learn how SD-WANs and a one-click instant connect tool can boost provisions, deployment, and management of your cloud connection.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
Keystroke loggers have been around for a very long time. While the threat is old, some of the remedies are new!
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video, Percona Solutions Engineer Barrett Chambers discusses some of the basic syntax differences between MySQL and MongoDB. To learn more check out our webinar on MongoDB administration for MySQL DBA: https://www.percona.com/resources/we…

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question