VanDyke Software

Security Advisory

Security Advisory

GHOST gethostbyname() Heap Overflow in glibc (CVE-2015-0235)

Risk assessment: Moderate for unpatched Linux platforms.


Posted: February 11, 2015

Description

A vulnerability in specific versions of glibc libraries has been discovered in which an attacker may be allowed to execute arbitrary code through heap overflow possibilities in gethostbyname() or gethostbyname2() functions.

This is a vulnerability in specific versions of glibc; it is not a vulnerability in VanDyke Software products. However, since VanDyke Software products on supported Linux platforms (Red Hat, Ubuntu, SUSE) dynamically link to glibc, if glibc is unpatched on your system, you may be affected in circumstances where a call to gethostbyname() is made (see Products Affected section below).

VanDyke Software products on all other platforms (Windows, Mac OS X, FreeBSD, AIX, Solaris, iOS) are not affected by this vulnerability in glibc.

Products NOT Affected

  • VanDyke Software products for all non-Linux platforms (Windows, Mac OS X, FreeBSD, AIX, Solaris, iOS).
  • VanDyke Software products on Linux platforms where glibc is appropriately patched to address the GHOST vulnerability.

Products Affected

VanDyke Software products are potentially susceptible when running on unpatched Linux platforms (Red Hat, Ubuntu, SUSE) only where any of the following specific circumstances are present:

  • IPv6 is not available. Where IPv6 is available, GetAddrInfo() is used, not gethostbyname().
  • ClientPack (vcp, vsh, vsftp, vpka), SecureCRT, or SecureFX are configured to connect through a SOCKS 4 proxy to a remote host specified by name (rather than by IP address).
  • ClientPack/SecureCRT clients are configured to perform X11 forwarding.
  • ClientPack/SecureCRT clients are configured to perform remote/reverse port forwarding using a host name instead of an IP address as the target.
  • VShell is configured with connection filters enabled and where any connection filter entry is specified as a host name. Connection filters are not enabled by default in VShell.
  • VShell is configured to allow GSSAPI authentication with the SSH2 protocol (this is the default configuration), and a client attempts GSSAPI authentication (whether successful or not). GSSAPI authentication relies on fully qualified host name resolution, which involves calls to gethostbyname().
  • VShell is configured with SyslogSetting set to 'udp'. The default SysLogSetting in VShell is 'tcp'.

Recommended Solution

Patch the glibc library files installed on your system according to instructions available from your Linux distribution vendor or other online resources. For example:

Official Postings

Revision History

February 11, 2015 – Security Advisory Published