Solved

Can an external source call gethost (Ghost) function & any port that gethost apps usually listen on?

Posted on 2015-02-02
7
105 Views
Last Modified: 2015-02-21
A governance authority posed a question:
"are external sources able to make calls to GetHost services/functions to Linux servers in our infra ie passing
 thru firewall/IPS" ?

Does the question above make sense or it was mixed up with the case below:
http://security.stackexchange.com/questions/80498/can-an-executable-be-scanned-for-calls-to-the-vulnerable-glibc-ghost-functions

If it makes sense, does it go thru Tcp80, Tcp443 ?  Then will need IPS to detect & block it?

Any common services (python?) that uses GetHostbyName & on what Tcp ports they are listening on usually?
(if this makes sense)
0
Comment
Question by:sunhux
  • 4
  • 3
7 Comments
 

Author Comment

by:sunhux
ID: 40583678
I guess it's not relevant at all to block specific Tcp ports on firewall, isn't it?

Further question:
Can we "secure" or harden binaries tt I found to contain gethostbyname or
gethostbyname2 as interim mitigation as the link below indicates it's only those
2 functions:
http://security.stackexchange.com/questions/80498/can-an-executable-be-scanned-for-calls-to-the-vulnerable-glibc-ghost-functions
0
 
LVL 61

Accepted Solution

by:
gheist earned 500 total points
ID: 40584992
How is that different from patching glibc and rebooting? by means of downtime and time spent?

Do you want us to provide professional answer to question on other sites?
What is the essence of your question?

Use of gethostbyname* does not co-relate with particular port being listened to.
0
 

Author Comment

by:sunhux
ID: 40594159
Essence of the question is:
"are external sources able to make calls to GetHost services/functions to Linux servers in our infra ie remotely exploit this vulnerability ?

I've got a few answers from Trendmicro, F5 & Bluecat : it's only possible to
remotely exploit this vulnerability if we have EXIM mail service running.
Otherwise, one has to login to the Linux servers to be able to exploit it
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:sunhux
ID: 40594171
I suppose in today's attacks, the attacks usually comes thru Tcp 80, Tcp443
& we can't block these 2 ports as they are needed.

Besides patching/updating glibc, is there any other workarounds to
mitigate this that you are aware of?
0
 
LVL 61

Assisted Solution

by:gheist
gheist earned 500 total points
ID: 40594278
How vulnerability in exim could eventually be discovered by Qualys auditing security of Oracle database?

Only mitigation is patch and restart all services. How many weeks more you keep your infrastructure at risk to diog ot? Or you are waiting for massive compromise of your systems to spot a problem?
0
 

Author Comment

by:sunhux
ID: 40596519
It's change freeze period for next 1.5 months, so I'm exploring a no-downtime
workaround.  Consider that only EXIM can be subject to remote exploitation,
this gives me a bit of time.

If there are dependencies issues (as I can't do 'yum update glibc' as our
servers are blocked from accessing Internet), can I just do
"rpm --nodeps -Uvh ./folder_holding_updated_rpms/*.rpm"  ?
0
 
LVL 61

Expert Comment

by:gheist
ID: 40596555
Yes- all processes keep glibc open....

Your process of not installing security patches is flawed.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Zeus black pop up screen virus 7 64
Design of sending events/logs to SIEM/Arcsight 2 120
wireshark 2 computers 8 43
slow vpn connection 9 41
It’s 2016. Password authentication should be dead — or at least close to dying. But, unfortunately, it has not traversed Quagga stage yet. Using password authentication is like laundering hotel guest linens with a washboard — it’s Passé.
Read about achieving the basic levels of HRIS security in the workplace.
Many functions in Excel can make decisions. The most simple of these is the IF function: it returns a value depending on whether a condition you describe is true or false. Once you get the hang of using the IF function, you will find it easier to us…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now