This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Warning: GHOST bug in glibc

Hello everyone,

In case you haven't noticed, there is a critical bug going around these days in glibc that has successfully been remotely exploited through gethostbyname in exim (and possibly everywhere in Linux where a name is resolved):

oss-security - Qualys Security Advisory CVE-2015-0235 - GHOST: glibc gethostbyname buffer overflow

I was unable to quickly assess if UTM is affected. Since the bug only affect older versions of glibc (2.17 and down. 2.18 and up are safe), it is likely not a problem. However, you might want to keep an eye on news.

That old bug wasn't thought to be a security issue until recently. Now, POC against exim has been already tested and metasploit is adding a module to it's catalog (should be there soon).

I'm sure the community would appreciate a work from Sophos regarding this (which version of UTM - if any - is affected). At the very lest, I would [:P]

Some extra info:

https://security-tracker.debian.org/tracker/CVE-2015-0235
Highly critical

Edit:
"ldd --version" returns "ldd (GNU libc) 2.11.3". Looks like we might be looking at an emergency patch and reboot.

This thread was automatically locked due to age.

Parents

0 seroal over 10 years ago

Hi @ all,

im really looking for the patch for v8.3 and 9.2..... The main-website for the ghost caveat (https://www.sophos.com/en-us/support/knowledgebase/121879.aspx) says, the patch should be available since yesterday... Where is it? No information about that....

And im also really interested in, if that statement is true or sophos just wants to hide something?

Hi All,
However, we did also spend some time in parallel hammering on this, and could not reproduce the effect on our Exim implementation.

2 weeks ago I had a customer with UTMs (v9.3) with an Exim error. The result was, that there were no more mails incoming. A look at the logfiles showed different killed processes to that time, but for me the root cause, isn´t clear so far. Sophos says, it was the postgresql database, because of memory problems. But the memory usage isn´t more than 60% at peak over many month.... There are only problems with the swap (swapsize over 80% all the time, even memory is not full at all) that could´t be eliminated so far.

Take a look at this link: Problems with incoming mails | Network Guy

But couldn´t it be, that UTMs with SMTP Proxy active are already actively exploited?! How could somebody verify, that the installations is still clean and not hijacked?
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 seroal over 10 years ago

Hi @ all,

im really looking for the patch for v8.3 and 9.2..... The main-website for the ghost caveat (https://www.sophos.com/en-us/support/knowledgebase/121879.aspx) says, the patch should be available since yesterday... Where is it? No information about that....

And im also really interested in, if that statement is true or sophos just wants to hide something?

Hi All,
However, we did also spend some time in parallel hammering on this, and could not reproduce the effect on our Exim implementation.

2 weeks ago I had a customer with UTMs (v9.3) with an Exim error. The result was, that there were no more mails incoming. A look at the logfiles showed different killed processes to that time, but for me the root cause, isn´t clear so far. Sophos says, it was the postgresql database, because of memory problems. But the memory usage isn´t more than 60% at peak over many month.... There are only problems with the swap (swapsize over 80% all the time, even memory is not full at all) that could´t be eliminated so far.

Take a look at this link: Problems with incoming mails | Network Guy

But couldn´t it be, that UTMs with SMTP Proxy active are already actively exploited?! How could somebody verify, that the installations is still clean and not hijacked?
Cancel
Vote Up 0 Vote Down

Cancel

Children

No Data