Solved

Can an external source call gethost (Ghost) function & any port that gethost apps usually listen on?

Posted on 2015-02-02
7
108 Views
Last Modified: 2015-02-21
A governance authority posed a question:
"are external sources able to make calls to GetHost services/functions to Linux servers in our infra ie passing
 thru firewall/IPS" ?

Does the question above make sense or it was mixed up with the case below:
http://security.stackexchange.com/questions/80498/can-an-executable-be-scanned-for-calls-to-the-vulnerable-glibc-ghost-functions

If it makes sense, does it go thru Tcp80, Tcp443 ?  Then will need IPS to detect & block it?

Any common services (python?) that uses GetHostbyName & on what Tcp ports they are listening on usually?
(if this makes sense)
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
7 Comments
 

Author Comment

by:sunhux
ID: 40583678
I guess it's not relevant at all to block specific Tcp ports on firewall, isn't it?

Further question:
Can we "secure" or harden binaries tt I found to contain gethostbyname or
gethostbyname2 as interim mitigation as the link below indicates it's only those
2 functions:
http://security.stackexchange.com/questions/80498/can-an-executable-be-scanned-for-calls-to-the-vulnerable-glibc-ghost-functions
0
 
LVL 62

Accepted Solution

by:
gheist earned 500 total points
ID: 40584992
How is that different from patching glibc and rebooting? by means of downtime and time spent?

Do you want us to provide professional answer to question on other sites?
What is the essence of your question?

Use of gethostbyname* does not co-relate with particular port being listened to.
0
 

Author Comment

by:sunhux
ID: 40594159
Essence of the question is:
"are external sources able to make calls to GetHost services/functions to Linux servers in our infra ie remotely exploit this vulnerability ?

I've got a few answers from Trendmicro, F5 & Bluecat : it's only possible to
remotely exploit this vulnerability if we have EXIM mail service running.
Otherwise, one has to login to the Linux servers to be able to exploit it
0
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

 

Author Comment

by:sunhux
ID: 40594171
I suppose in today's attacks, the attacks usually comes thru Tcp 80, Tcp443
& we can't block these 2 ports as they are needed.

Besides patching/updating glibc, is there any other workarounds to
mitigate this that you are aware of?
0
 
LVL 62

Assisted Solution

by:gheist
gheist earned 500 total points
ID: 40594278
How vulnerability in exim could eventually be discovered by Qualys auditing security of Oracle database?

Only mitigation is patch and restart all services. How many weeks more you keep your infrastructure at risk to diog ot? Or you are waiting for massive compromise of your systems to spot a problem?
0
 

Author Comment

by:sunhux
ID: 40596519
It's change freeze period for next 1.5 months, so I'm exploring a no-downtime
workaround.  Consider that only EXIM can be subject to remote exploitation,
this gives me a bit of time.

If there are dependencies issues (as I can't do 'yum update glibc' as our
servers are blocked from accessing Internet), can I just do
"rpm --nodeps -Uvh ./folder_holding_updated_rpms/*.rpm"  ?
0
 
LVL 62

Expert Comment

by:gheist
ID: 40596555
Yes- all processes keep glibc open....

Your process of not installing security patches is flawed.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Network Security Solution 7 74
Home firewall recommendations 11 106
SAP HANA vulnerability threat report. 2 112
Preventive Maintenance for ISSR 4331 Router 7 49
Transferring data across the virtual world became simpler but protecting it is becoming a real security challenge.  How to approach cyber security  in today's business world!
How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question