Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 126
  • Last Modified:

Can an external source call gethost (Ghost) function & any port that gethost apps usually listen on?

A governance authority posed a question:
"are external sources able to make calls to GetHost services/functions to Linux servers in our infra ie passing
 thru firewall/IPS" ?

Does the question above make sense or it was mixed up with the case below:
http://security.stackexchange.com/questions/80498/can-an-executable-be-scanned-for-calls-to-the-vulnerable-glibc-ghost-functions

If it makes sense, does it go thru Tcp80, Tcp443 ?  Then will need IPS to detect & block it?

Any common services (python?) that uses GetHostbyName & on what Tcp ports they are listening on usually?
(if this makes sense)
0
sunhux
Asked:
sunhux
  • 4
  • 3
2 Solutions
 
sunhuxAuthor Commented:
I guess it's not relevant at all to block specific Tcp ports on firewall, isn't it?

Further question:
Can we "secure" or harden binaries tt I found to contain gethostbyname or
gethostbyname2 as interim mitigation as the link below indicates it's only those
2 functions:
http://security.stackexchange.com/questions/80498/can-an-executable-be-scanned-for-calls-to-the-vulnerable-glibc-ghost-functions
0
 
gheistCommented:
How is that different from patching glibc and rebooting? by means of downtime and time spent?

Do you want us to provide professional answer to question on other sites?
What is the essence of your question?

Use of gethostbyname* does not co-relate with particular port being listened to.
0
 
sunhuxAuthor Commented:
Essence of the question is:
"are external sources able to make calls to GetHost services/functions to Linux servers in our infra ie remotely exploit this vulnerability ?

I've got a few answers from Trendmicro, F5 & Bluecat : it's only possible to
remotely exploit this vulnerability if we have EXIM mail service running.
Otherwise, one has to login to the Linux servers to be able to exploit it
0
Managing Security Policy in a Changing Environment

The enterprise network environment is evolving rapidly as companies extend their physical data centers to embrace cloud computing and software-defined networking. This new reality means that the challenge of managing the security policy is much more dynamic and complex.

 
sunhuxAuthor Commented:
I suppose in today's attacks, the attacks usually comes thru Tcp 80, Tcp443
& we can't block these 2 ports as they are needed.

Besides patching/updating glibc, is there any other workarounds to
mitigate this that you are aware of?
0
 
gheistCommented:
How vulnerability in exim could eventually be discovered by Qualys auditing security of Oracle database?

Only mitigation is patch and restart all services. How many weeks more you keep your infrastructure at risk to diog ot? Or you are waiting for massive compromise of your systems to spot a problem?
0
 
sunhuxAuthor Commented:
It's change freeze period for next 1.5 months, so I'm exploring a no-downtime
workaround.  Consider that only EXIM can be subject to remote exploitation,
this gives me a bit of time.

If there are dependencies issues (as I can't do 'yum update glibc' as our
servers are blocked from accessing Internet), can I just do
"rpm --nodeps -Uvh ./folder_holding_updated_rpms/*.rpm"  ?
0
 
gheistCommented:
Yes- all processes keep glibc open....

Your process of not installing security patches is flawed.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now