Solved

Can an external source call gethost (Ghost) function & any port that gethost apps usually listen on?

Posted on 2015-02-02
7
102 Views
Last Modified: 2015-02-21
A governance authority posed a question:
"are external sources able to make calls to GetHost services/functions to Linux servers in our infra ie passing
 thru firewall/IPS" ?

Does the question above make sense or it was mixed up with the case below:
http://security.stackexchange.com/questions/80498/can-an-executable-be-scanned-for-calls-to-the-vulnerable-glibc-ghost-functions

If it makes sense, does it go thru Tcp80, Tcp443 ?  Then will need IPS to detect & block it?

Any common services (python?) that uses GetHostbyName & on what Tcp ports they are listening on usually?
(if this makes sense)
0
Comment
Question by:sunhux
  • 4
  • 3
7 Comments
 

Author Comment

by:sunhux
Comment Utility
I guess it's not relevant at all to block specific Tcp ports on firewall, isn't it?

Further question:
Can we "secure" or harden binaries tt I found to contain gethostbyname or
gethostbyname2 as interim mitigation as the link below indicates it's only those
2 functions:
http://security.stackexchange.com/questions/80498/can-an-executable-be-scanned-for-calls-to-the-vulnerable-glibc-ghost-functions
0
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
Comment Utility
How is that different from patching glibc and rebooting? by means of downtime and time spent?

Do you want us to provide professional answer to question on other sites?
What is the essence of your question?

Use of gethostbyname* does not co-relate with particular port being listened to.
0
 

Author Comment

by:sunhux
Comment Utility
Essence of the question is:
"are external sources able to make calls to GetHost services/functions to Linux servers in our infra ie remotely exploit this vulnerability ?

I've got a few answers from Trendmicro, F5 & Bluecat : it's only possible to
remotely exploit this vulnerability if we have EXIM mail service running.
Otherwise, one has to login to the Linux servers to be able to exploit it
0
How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

 

Author Comment

by:sunhux
Comment Utility
I suppose in today's attacks, the attacks usually comes thru Tcp 80, Tcp443
& we can't block these 2 ports as they are needed.

Besides patching/updating glibc, is there any other workarounds to
mitigate this that you are aware of?
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 500 total points
Comment Utility
How vulnerability in exim could eventually be discovered by Qualys auditing security of Oracle database?

Only mitigation is patch and restart all services. How many weeks more you keep your infrastructure at risk to diog ot? Or you are waiting for massive compromise of your systems to spot a problem?
0
 

Author Comment

by:sunhux
Comment Utility
It's change freeze period for next 1.5 months, so I'm exploring a no-downtime
workaround.  Consider that only EXIM can be subject to remote exploitation,
this gives me a bit of time.

If there are dependencies issues (as I can't do 'yum update glibc' as our
servers are blocked from accessing Internet), can I just do
"rpm --nodeps -Uvh ./folder_holding_updated_rpms/*.rpm"  ?
0
 
LVL 61

Expert Comment

by:gheist
Comment Utility
Yes- all processes keep glibc open....

Your process of not installing security patches is flawed.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Article by: btan
Provide an easy one stop to quickly get the relevant information on common asked question on Ransomware in Expert Exchange.
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now