What is GHOST and How Can Second Look Protect You?
The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials. CVE-2015-0235 has been assigned to this issue.
Qualys security researchers discovered this bug and worked closely with Linux distribution vendors. And as a result of that we are releasing this advisory today as a co-ordinated effort, and patches for all distribution are available January 27, 2015.
What is glibc?
The GNU C Library or glibc is an implementation of the standard C library and a core part of the Linux operating system. Without this library a Linux system will not function.
What is the vulnerability?
During a code audit Qualys researchers discovered a buffer overflow in the __nss_hostname_digits_dots() function of glibc. This bug can be triggered both locally and remotely via all the gethostbyname*() functions. Applications have access to the DNS resolver primarily through the gethostbyname*() set of functions. These functions convert a hostname into an IP address.
An attacker who uses the GHOST vulnerability to gain access into the Linux system may introduce malware or a leave backdoors.
What is Second Look?
Raytheon’s Second Look is a tool that uses memory forensics to acquire and analyze volatile memory from Linux systems providing malware detection using an integrity verification approach to validate that all software running is known and unaltered. When responding to a confirmed or potential computer security incident on a Linux system, Second Look will quickly determine where to focus your efforts by highlighting stealth malware, unknown, or unauthorized programs running on the system, and other potential indicators of compromise and vulnerability, saving you time, money and loss of business opportunities.
Second Look detects malware, backdoors, and other evidence of compromise on Linux systems.
An enterprise that is using Second Look to monitor Linux systems will be equipped to quickly detect and respond to an intrusion via GHOST — and other known or unknown vulnerabilities. Without Second Look, the intrusion might go unnoticed and the consequences (in terms of damage, data loss, cost and difficulty of remediation) would be much more severe.
For more information on Second Look and other Raytheon products, CLICK HERE