Security Bulletin - GHOST Vulnerability
Security Bulletins ID:
SB10100
Last Modified: 5/4/2022
Last Modified: 5/4/2022
Summary
Who Should Read This Document: | Technical and Security Personnel |
Impact of Vulnerability: | Remote Code Execution (CWE-714, OWASP 2007:A3) Buffer Overflow (CWE-726, OWASP 2004:A5) Authentication Bypass (CWE-592) |
CVE Numbers: | CVE-2015-0235 |
CERT/CC and Other Numbers: | Qualys Advisory: GHOST-CVE-2015-0235 |
Severity Rating: | High |
Base / Overall CVSS Scores: | 10.0 / 7.8 |
Recommendations: | Deploy the remediation signatures/rules first. Update product patches/hotfixes. |
Security Bulletin Replacement: | None |
Caveats: | None |
Affected Software: | See the Product Vulnerability Status lists below |
Location of Updated Software: | Product Downloads site |
To receive email notification when this article is updated, click Subscribe on the right side of the page. You must be logged on to subscribe.
Article contents:
Description
The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the target system without having any prior knowledge of system credentials. This buffer overflow vulnerability can be triggered both locally and remotely. CVE-2015-0235 has been assigned to this issue. This is referred to as the GHOST vulnerability because it can be triggered by the GetHOST functions.
The GNU C Library or glibc is an implementation of the standard C library and is a core part of the Linux operating system. Linux distribution vendors have released patches for all distribution as of January 27, 2015.
- RedHat: https://rhn.redhat.com/errata/RHSA-2015-0090.html
- Ubuntu: https://launchpad.net/ubuntu/+source/eglibc
- Debian: https://security-tracker.debian.org/tracker/CVE-2015-0235
- Oracle Enterprise Linux: https://oss.oracle.com/pipermail/el-errata/2015-January/004810.html
- CentOS: http://lists.centos.org/pipermail/centos-announce/2015-January/020906.html
- GNU C Library: http://www.gnu.org/software/libc/
- Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
The first vulnerable version of the GNU C Library was released on November 10, 2000. This vulnerability was actually fixed on May 21, 2013, but was not recognized as a security threat. As a result, most stable and long-term-support distributions were left exposed.
CVE-2015-0235
GHOST: glibc gethostbyname buffer overflow
NIST: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235
Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
GHOST: glibc gethostbyname buffer overflow
NIST: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235
Mitre: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
CWE-714
OWASP Top Ten 2007 Category A3 - Malicious File Execution
http://cwe.mitre.org/data/definitions/714.html
OWASP Top Ten 2007 Category A3 - Malicious File Execution
http://cwe.mitre.org/data/definitions/714.html
Qualys Advisory: GHOST-CVE-2015-0235
GHOST Vulnerability
GHOST Vulnerability
- https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
- https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
Not every version of the "vulnerable and updated" products are vulnerable.
Products listed as "Vulnerable but Low Risk (given standard deployment best practices)" might contain one or more of the following conditions:
- Contains a vulnerable component, but an attack vector cannot be identified or the component is not used by the product.
- Only rarely used configurations are vulnerable. For example, it is vulnerable only in FIPS-140 mode, which is not the default and is not commonly used.
- Internal controls that block this vulnerability should be deployed as recommended in the installation documents. For example, internal firewalls.
- Privileges are not elevated enough to be vulnerable, unless granted explicitly by the customer.
- The product may be momentarily vulnerable during an install or uninstall, but not during normal operation.
See the version information later in this bulletin.
Vulnerable and Updated
- Advanced Threat Defense
- Global Threat Intelligence (GTI) [GTI Cloud Server (CS) / Artemis / REST]
- McAfee Agent (MA) (Linux 32-bit) 4.8.0 and 5.0.0
- McAfee Asset Manager (MAM)
- McAfee Security for App Store- Cloud (MSAS)
- McAfee Security Information and Event Management (SIEM)
- McAfee Web Gateway (MWG)
- Mobile Cloud (MC)
- MOVE AntiVirus Security Virtual Appliance (MOVE SVA)
- McAfee MOVE AntiVirus Security Virtual Appliance Manager (MOVE SVA Manager)
- Network Data Loss Prevention (NDLP)
- TrueKey Password Manager API (TKPM)
- VirusScan Enterprise Linux (VSEL)
Vulnerable and Not Yet Updated
- Cloud Analysis and Deconstruction Service (CADS)
- Site Advisor Live (SA)
Vulnerable but Low Risk (given standard deployment best practices)*
- CleanBoot (CB)
- Data Exchange Layer (DXL)
- Email and Web Security (EWS)
- Host Intrusion Prevention Services (Host IPS)
- McAfee Email Gateway (MEG)
- Network Security Platform (NSP) Sensor
- Network Threat Behavior Analysis (NTBA)
- Threat Intelligence Exchange (TIE)
Not Vulnerable
- Anti-Malware Engine (Scan Engine)
- Database Activity Monitoring (DAM)
- Database Vulnerability Manager (DVM)
- Drive Encryption (DE)
- Endpoint Encryption Manager (EEM/SafeBoot)
- Endpoint Protection for Mac (EPM)
- ePolicy Orchestrator (ePO)
- McAfee Drive Encryption (MDE)
- File and Removable Media Protection (FRP)
- McAfee Application Control (MAC)
- McAfee Antivirus Plus (AV+)
- McAfee Endpoint Security 10 (ENS) / Endpoint Protection 10.0 (EP10)
- McAfee Family Protection (MFP)
- McAfee Foundation Services (MFS) [part of ePO]
- McAfee Home Network (MHN)
- McAfee Minimum Escalation Requirements Tool (MER)
- McAfee Mobile Security (MMS)
- McAfee Quarantine Manager (MQM)
- McAfee Security for Domino Windows (MSDW)
- McAfee Security for Email Servers (MSES) / GroupShield
- McAfee Security for Lotus Domino (MSLD) / GroupShield Domino (GSD)
- McAfee Security for Microsoft Exchange (MSME) / GroupShield Exchange
- McAfee Security for Microsoft SharePoint (MSMS)
- McAfee Security for Mac (MSM)
- McAfee Vulnerability Manager (MVM)
- McAfee Web Reporter (MWR)
- Network Security Manager (NSM)
- Rogue System Detection (RSD) [part of ePO]
- SaaS Endpoint Protection (SEP)
- Secure Container (Android and iOS)
- Site Advisor Enterprise (SAE)
- Total Protection Service Client (ToPS)
- Virus-Scan Enterprise (VSE)
- VirusScan for Mac (VSMac)
- Windows Systems Security (WSS)
Being Investigated
- Anti-Malware Core (AMC)
- Anti-Spam Engine (ASE)
- AntiVirus Engine (AVE)
- Boot Attestation Service (BAS) / Open Virtual Appliance (OVA)
- Data Loss Prevention Endpoint (DLPe)
- DeepSAFE (SAFE)
- Endpoint Intelligence Agent (EIA)
- ePO Cloud
- Gateway Anti-Malware Engine (GAM)
- Host Data Loss Prevention (HDLP)
- Management for Optimized Virtual Environments (MOVE) AntiVirus
- McAfee Anti-Theft (MAT)
- McAfee Change Control (MCC)
- McAfee Cloud Single Sign On (MCSSO) / McAfee Cloud Identity Manager (MCIM)
- McAfee Network Access Control (MNAC)
- McAfee Policy Auditor (MPA)
- McAfee Real Time Command (RTC)
- McAfee Real Time for ePO (RTE)
- McAfee SECURE (MS) / Trustmark
- McAfee Security Scan+ (MSS+)
- Network User Behavior Analysis (NUBA)
- One Time Password (OTP) / Nordic Edge / Pledge
- Online Child Protection (OCP)
- PortalShield (PS)
- Pre-Install Scanner (PIS)
- Stinger
- Super DAT Manager (SDAT)
- ToPS Server (TPS)
- Trusted Source Software Development Kit (TS-SDK)
- Whole Disk Encryption (WDE)
Remediation
Go to the Product Downloads site and download the applicable product patch/hotfix file:
Product | Type | Patch Version | File Name | Release Date |
ATD | Patch | 3.4.4.63.45665 | March 31, 2015 | |
MAM | Security Hotfix Script | Hotfix 7 | mam_hotfix_pack7.sh | June 23, 2015 |
McAfee Agent 4.8.0 | Patch | 3 | MA480P3LNX.zip | February 17, 2015 |
McAfee Agent 5.0.0 | Security Hotfix | NA | MA500LNXHF1037455.zip | February 19, 2015 |
MOVE 3.5 SVA Manager | Upgrade to MA 4.8 Patch 3 and VSEL 2.02, and then deploy HF1043657 from ePO. | MOVE 3.5 SVA Manager | ||
MOVE AL 3.5 | Upgrade to MA 4.8 Patch 3 and VSEL 2.02, and then deploy HF1043655 from ePO. | HF1043655 | N/A | February 23, 2015 |
MOVE AL 3.0 | Upgrade to MA and VSEL 1.9.1, and then deploy HF1043684 from ePO. | HF1043684 | N/A | After VSEL 1.9.1 release, which is scheduled for February 27, 2015 |
MOVE MP 3.5 | Development is still under progress. | N/A | N/A | Date will be updated later. |
MOVE 2.6 | MOVE 2.6 is EOL July 31 — customers are advised to move to MOVE 3.0/3.5. | N/A | N/A | N/A |
MWG | Patch | 7.5.1 7.4.2.7 |
mwgappl-7.5.1-18935.x86_64.yum mwgappl-7.4.2.7.0-18936.x86_64.yum |
January 29, 2015 |
MWG | Patch | 7.3.2.13 | mwgappl-7.3.2.13.0-18938.x86_64.yum | February 2, 2015 |
NDLP | Security Hotfix | Hotfix 1045663 | hotfix_ 1045663_47280.tar.gz | March 12, 2015 |
SIEM | Maintenance Release | 9.4.2 MR6 9.3.2 MR17 |
January 28, 2015 | |
TrueKey | Cloud Update | N/A | N/A | January 27, 2015 |
VSE for Linux 1.7.x | Customers are advised to upgrade to VSEL 1.9.1/2.0.2 to fix all the vulnerabilities. | N/A | N/A | N/A |
VSE for Linux 2.0.2 | VSEL 2.0.2 is getting reposted and fixes the glibc vulnerability in the field and contains all the previously released hotfixes merged (including the Poodle vulnerability). | N/A | N/A | February 19, 2015 |
VSE for Linux 1.9.1 | VSEL 1.9.1 is getting reposted and fixes the glibc vulnerability in the field and contains all the previously released hotfixes merged (including the Poodle vulnerability). | N/A | McAfeeVSEForLinux-1.9.1.29107.zip | March 4, 2015 |
- DXL
DXL clients are not vulnerable. The platform the DXL Broker runs on has a vulnerable version of Linux; however, it does not expose the vulnerability. DXL 1.0.1 will still be patched to avoid false positives by vulnerability scanners. - HIPS
'HIPS for Linux' statically links to vulnerable versions of glibc, but there is no attack vector. The Windows version is not vulnerable. - MA
Only (Linux 32-bit) running 4.6, 4.8, and 5.0 Agents are bundled with this runtime library and are affected. - MAM
MAM is vulnerable, not because of the product itself, but because of the underlying Debian Squeezy Linux platform shipped with it.
MAM 6.6 Hotfix 7 has superseded the release previously posted in this article. Hotfix 7 is a rollup that includes the content of hotfixes 1-6.
- MC
McAfee Mobile Cloud was updated by McAfee in the cloud. No actions are required by customers. - MWG
MWG appliances use the vulnerable glibc, but investigation shows that there is no attack vector for the MWG proxy for user traffic because MWG uses a different implementation for DNS lookups (uDNS). MWG ships with several third-party products, such as Dante Socks Proxy and Helix Streaming Proxy, which may be vulnerable. These third-party products are NOT enabled by default. - TIE
The platform the TIE Server runs on has a vulnerable version of Linux; however, it does not expose the vulnerability. TIE 1.0.1 will still be patched to avoid false positives by vulnerability scanners. - TrueKey/YAP
All production systems related to the TrueKey platform were updated by McAfee on January 27, 2015. No customer action is required.
- Launch Internet Explorer.
- Go to the Product Downloads site.
- Provide your valid Grant Number.
- Click your product suite.
- Click the applicable product (see table above) and click I Agree.
- Click the Patches tab and click the link to download the product .ZIP file under the Product column.
NOTE: The Content and Cloud Security portal does not require a Grant number; however, customers have received login credentials together with their MWG license.
For instructions to download product updates and hotfixes, see KB56057 - How to download Enterprise product updates and documentation. Review the Release Notes and Installation Guide for instructions on how to install these updates. All documentation is available at our Product Documentation site.
For instructions to download product updates and hotfixes, see KB56057 - How to download Enterprise product updates and documentation. Review the Release Notes and Installation Guide for instructions on how to install these updates. All documentation is available at our Product Documentation site.
Frequently Asked Questions (FAQs)
We recommend that all customers verify that they have applied the latest updates.
How do I know if my product is vulnerable?
For Endpoint products:
Use the following instructions for endpoint or client based products:
Use the following instructions for server based products:
Use the following instructions for Appliance based products:
Use the following instructions:
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, see the CVSS website.
When calculating CVSS v2 scores, we've adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by successful exploitation of the issue being scored.
What are the CVSS scoring metrics that have been used?
CVE-2015-0235: GHOST Vulnerability
How do I know if my product is vulnerable?
For Endpoint products:
Use the following instructions for endpoint or client based products:
- Right-click on the McAfee tray shield icon on the Windows task bar.
- Select Open Console.
- In the console, select Action Menu.
- In the Action Menu, select Product Details. The product version is displayed.
Use the following instructions for server based products:
- Check the version and build of ePO that is installed. For more information on how to check the version, see: KB52634.
- Or, create a query in ePO for the product version of the product installed within your organization.
Use the following instructions for Appliance based products:
- Open the Administrator's User Interface (UI).
- Click the About link. The product version is displayed.
Use the following instructions:
- Log on to the ePO server.
- Click Menu, Data Protection, DLP Policy.
- Inside the DLP console, click the Help menu item, About. The product version is displayed.
CVSS, or Common Vulnerability Scoring System, is the result of the National Infrastructure Advisory Council’s effort to standardize a system of assessing the criticality of a vulnerability. This system offers an unbiased criticality score between 0 and 10 that customers can use to judge how critical a vulnerability is and plan accordingly. For more information, see the CVSS website.
When calculating CVSS v2 scores, we've adopted a philosophy that fosters consistency and repeatability. Our guiding principle for CVSS scoring is to score the exploit under consideration by itself. We consider only the immediate and direct impact of the exploit under consideration. We do not factor into a score any potential follow-on exploits that might be made possible by successful exploitation of the issue being scored.
CVE-2015-0235: GHOST Vulnerability
Base Score | 10.0 |
Related exploit range (AccessVector) | Network |
Attack complexity (AccessComplexity) | Low |
Level of authentication needed (Authentication) | None |
Confidentiality impact | Complete |
Integrity impact | Complete |
Availability impact | Complete |
Temporal Score (Overall) | 7.8 |
Availability of exploit (Exploitability) | Proof of concept code |
Type of fix available (RemediationLevel) | Official fix |
Level of verification that vulnerability exists (ReportConfidence) | Confirmed |
NOTE: CVSS version 2.0 was used to generate this score.
https://nvd.nist.gov/cvss.cfm?calculator&version=2&vector=(AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C)
NOTE: The CVSS base score was adjusted higher (10.0) since NIST (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235) scored the CVE. The initial score (6.8) was from RedHat: https://access.redhat.com/security/cve/CVE-2015-0235.
We've released product updates to address this security flaw.
Where do I download the fix?
Download the fix from the Product Downloads site. You will need to provide a valid gran number to initiate the download.
Where can I find a list of all Security Bulletins?
All Security Bulletins are published on our Knowledge Center. Security Bulletins are retired (removed) once a product is both End of Sale and End of Support (End of Life).
How do I report a product vulnerability to you?
If you have information about a security issue or vulnerability with a product, follow the instructions provided in KB95563 - Report a vulnerability.
How do you respond to this and any other reported security flaws?
Our key priority is the security of our customers. If a vulnerability is found within any of our software or services, we work closely with the relevant security software development team to ensure the rapid and effective development of a fix and communication plan.
We only publish Security Bulletins if they include something actionable such as a workaround, mitigation, version update, or hotfix. Otherwise, we would simply be informing the hacker community that our products are a target, putting our customers at greater risk. For products that are updated automatically, a non-actionable Security Bulletin might be published to acknowledge the discoverer.
To view our PSIRT policy, see KB95564 - About PSIRT.
Resources
To contact Technical Support, go to the Create a Service Request page and log on to the ServicePortal.
- If you are a registered user, type your User ID and Password, and then click Log In.
- If you are not a registered user, click Register and complete the fields to have your password and instructions emailed to you.
Disclaimer
The information provided in this Security Bulletin is provided as is without warranty of any kind. We disclaim all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall we or our suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits, or special damages, even if we or our suppliers have been advised of the possibility of such damages. Some states don't allow the exclusion or limitation of liability for consequential or incidental damages, so the preceding limitation may not apply.
Any future product release dates mentioned in this Security Bulletin are intended to outline our general product direction, and they shouldn't be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates aren't a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remain at our sole discretion and may be changed or canceled at any time.
Any future product release dates mentioned in this Security Bulletin are intended to outline our general product direction, and they shouldn't be relied on in making a purchasing decision. The product release dates are for information purposes only, and may not be incorporated into any contract. The product release dates aren't a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for our products remain at our sole discretion and may be changed or canceled at any time.