GHOST is a ‘buffer overflow’ bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. If a remote attacker can make an application call to gethostbyname() or gethostbyname2(), this vulnerability allows the remote attacker to execute arbitrary code with the permissions of the user running the application.
GHOST was originally published by Red Hat as CVE-2015-0235: https://access.redhat.com/articles/1332213
1. Check Point Response to CVE-2015-0235 (glibc – GHOST)
Solution ID: sk104443
Check Point released “GNU C Library gethostbyname Buffer Overflow” IPS protection that protects customer environments.
This protection is part of the Recommended_Protection profile. It enables organizations to add a layer of protection to their network while updating their systems with vendor-provided patches.
OS Level Protection:
- IPSO OS is not vulnerable.
- While Check Point Gaia and SecurePlatform operating systems may be susceptible to CVE-2015-0235, there are no known exploits to Check Point software.
2. Juniper: 2015-01 Out of Cycle Security Bulletin: GHOST glibc gethostbyname() buffer overflow vulnerability (CVE-2015-0235)
- Junos Space
- NSM Appliance
- JSA and STRM Series
- Junos Space: PR 1060102 has been logged to resolve this issue.
- IDP-SA: PR 1060071 has been logged to resolve this issue in IDP-OS.
- CTPView: PR 1060060 has been logged to resolve this issue in CTPView.
- CTP: PR 1060352 has been logged to resolve this issue in CTP-OS.
- SRC: PR 1060350 has been logged to resolve this issue.
- NSM Appliance: PR 1059948 has been logged to resolve this issue.
- QFabric Director: gethostbyname() functions are used internally, but DNS name resolution is not supplied as a service on external ports.
- Firefly Host/vGW: The C/C++ based daemon running on the vGW/FFH Security VM agent is not exploitable. Also, the vGW/FFH management system (SD VM) is Java based (Apache Java application server) is not applicable.
- JSA and STRM: A fix is pending release.
- IDP Anomaly: The IDP anomaly SMTP:OVERFLOW:COMMAND-LINE should cover the known SMTP variant of this vulnerability. For easy attack lookup, the Signatures team has linked CVE-2015-0235 as a reference to this anomaly and also made it part of the recommended policy. All these changes will be reflected in the next signature pack which is scheduled to release on 29-Jan-2015 at 12:00 PST.
WORKAROUND: General Mitigation:
The affected gethostbyname() functions are primarily called in response to references to DNS host names and addresses from the CLI or via services listening on the device. Apply and maintain good security best current practices (BCPs) to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit access to networking equipment only from trusted, administrative networks or hosts. This reduces the risk of remote malicious exploitation of the GHOST vulnerability.
3. Cisco : GNU glibc gethostbyname Function Buffer Overflow Vulnerability
Advisory ID: cisco-sa-20150128-ghost:
There are currently no network-based mitigations for this vulnerability or any mitigations that can be performed directly on affected systems.