A serious security vulnerability in the glibc library included with GNU/Linux distributions has been uncovered, and while patches are available it could still leave numerous embedded systems vulnerable to attack.
The latest in an unfortunate series of security gaffes from open-source and proprietary software, the GHOST vulnerability was discovered by security research outfit Qualys
. Systems affected by GHOST suffer from a buffer overflow in a function of the standard glibc library, which can be exploited by any application which accesses the DNS resolver - i.e. anything which needs to convert hostnames into IP addresses - to execute code on the system. In testing, that was proven to include remote code execution: a specially-crafted email was sent to a mail server which launched a remote shell, despite the email going unread by its recipient and all the usual security functions of the operating system being active.
While Qualys has gone public with its findings, it is holding off on releasing exploit code until distributions have a chance to release patches. For many, that has already taken place: an update to glibc released in May 2013 closed the hole, but some long-term support (LTS) distributions - which by their nature do not include the latest versions of packages - did not pick the release up as it was not marked as a security issue. That has now been corrected, with LTS distributions including Debian, Ubuntu, Red Hat and derivatives merging the patch into their releases and updating client systems accordingly.
The fact that the flaw was exposed for versions going back more than 14 years, however, means that many devices may still be vulnerable. In particular, embedded devices running GNU/Linux and featuring versions of glibc prior to the May 2013 patch will be vulnerable until updated - and given manufacturers' frequent abandonment of firmware development for anything except their latest and greatest models, that update may never come.
Full details of the flaw are available from the security advisory