Knowledge Search


×
 

2015-01 Out of Cycle Security Bulletin: GHOST glibc gethostbyname() buffer overflow vulnerability (CVE-2015-0235)

  [JSA10671] Show Article Properties


Product Affected:
Please see the list in the Problem section below.
Problem:
On January 27, 2015, Qualys announced the GHOST vulnerability:

https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability

The GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials.  While there is no indication that Juniper products and services are vulnerable to remote exploitation, the following products do include the affected glibc library:

Affected Products
  • Junos Space
  • CTPView
  • CTP
  • IDP-SA
  • SRC
  • NSM Appliance
  • JSA and STRM Series
  • Media Flow Controller (MFC) and Application Delivery Controller (ADC)

Products Not Affected
  • Junos
  • NetScreen ISG/SSG firewalls
  • JUNOSe
  • NSM Server*
  • SBR Carrier*
  • WX/WXC Series
  • WLA Wireless LAN Access Point
  • WLC Wireless LAN Controller
  • WLM Wireless LAN Management Appliance
  • RingMaster
  • SmartPass

Products Using Affected Library but Not Exploitable
  • QFabric Director
  • Firefly Host/vGW
  • Junos WebApp Secure (JWAS)

Products Under Investigation
  • DDoS Secure

For information regarding Pulse Secure products, please refer to TSB16618 for the latest information.

Juniper is continuing to investigate our product portfolio for affected software that is not mentioned above. As new information becomes available this document will be updated.

This issue has been assigned CVE-2015-0235.


*NSM Server and SBR Carrier do not include glibc, and rely on the underlying OS libraries. Contact the OS vendor for an update.


Solution:

Note: The PRs listed below are for tracking purposes and may not be visible on the external website.


Junos Space:
A Junos Space hot-patch has been released to resolve both the GHOST and NTP vulnerabilities described in JSA10671 and JSA10663, respectively.

Download the Patch (SHA1)

To install the patch:
  1. Transfer patch to the VIP Space Node
  2. Log into the VIP node CLI
  3. Extract the archive:
    tar -zxf glibc-ntp-hotpatch-vz.tgz

  4. Change to the patch directory
    cd glibc-ntp-hotpatch-v1

  5. Run the patch script
    sh patchme.sh

    Note: If the system is a cluster, it will prompt for login credentials for the other nodes, and patch all systems.

IMPORTANT

If this patch is installed, and you are upgrading the Junos Space platform to any currently released version up to and including 14.1R2 [Check release notes of newer versions before upgrading, or contact JTAC], the upgrade will FAIL if you do not follow the instructions below:
  1. Upload the desired upgrade version of Space Platform to the system. [Do NOT start the upgrade]
  2. Login to the VIP node
  3. Change to the patch directory. [You may need to upload it again to the current node]
    cd glibc-ntp-hotpatch-v1

  4. Run the command to patch the Space Upgrade script.
    usage: fixupgrade.sh [LOCAL|CLUSTER]
    For example:
    sh fixupgrade.sh 14.1R1.9 CLUSTER

  5. Run the Junos Space Upgrade from the Web Interface.

IDP-SA:
PR 1060071 has been logged to resolve this issue in IDP-OS.

CTPView:
This issue has been resolved in CTPView 7.0R3 and all subsequent releases.

CTP:
This issue will be resolved in CTPOS 6.6R5, 7.0R4, and all subsequent releases.

SRC:
This issue has been resolved in SRC 4.4.0-R-14, 4.6.0-R-7, 4.7.0-R-3, and 4.8.0-R-2, and all subsequent releases.

NSM Appliance:
This issue has been resolved by upgrading to CentOS 6.5.  The NSM Appliance Upgrade ISO and Script for CentOS6.5 are available on the Network & Security Manager download site.

Alternately, customers who prefer to continue using CentOS 5.7 may install the following two RPMs:
Steps to apply RPMs:
  1. unzip glibc-common-2.5-123.el5_11.1.i386.rpm.zip
  2. rpm -Uvh unzip glibc-common-2.5-123.el5_11.1.i386.rpm.zip --nodeps
  3. rpm -Uvh glibc-2.5-123.el5_11.1.i686.rpm --nodeps
  4. reboot the system.

QFabric Director:
gethostbyname() functions are used internally, but DNS name resolution is not supplied as a service on external ports.

Firefly Host/vGW:
The C/C++ based daemon running on the vGW/FFH Security VM agent is not exploitable. Also, the vGW/FFH management system (SD VM) is Java based (Apache Java application server) is not applicable.

Junos WebApp Secure (JWAS):
gethostbyname() functions are inaccessible from remote unauthenticated sources.

JSA and STRM:
This issue is resolved in:
  • JSA 2013.2R11 and 2014.4R5 or later releases.
  • STRM 2013.2R11 or later releases.

Media Flow Controller (MFC) and Application Delivery Controller (ADC):
Resolved in mfc-12.3.10, mfc-12.3.8, mfc-12.3.9, and mfc-13.2.0.



IDP Anomaly:
The IDP anomaly ​SMTP:OVERFLOW:COMMAND-LINE should cover the known SMTP variant of this vulnerability. For easy attack lookup, the Signatures team has linked CVE-2015-0235 as a reference to this anomaly and also made it part of the recommended policy. All these changes will be reflected in the next signature pack which is scheduled to release on 29-Jan-2015 at 12:00 PST.
Workaround:
General Mitigation:
The affected gethostbyname() functions are primarily called in response to references to DNS host names and addresses from the CLI or via services listening on the device.  ​Apply and maintain good security best current practices (BCPs) to limit the exploitable attack surface of critical infrastructure networking equipment.  Use access lists or firewall filters to limit access to networking equipment only from trusted, administrative networks or hosts.  This reduces the risk of remote malicious exploitation of the GHOST vulnerability.
Implementation:


Modification History:
Modification History:

2015-01-28: Initial publication
2015-01-29: ScreenOS not vulnerable
2015-01-29: IDP-SA, SRC, and NSM Server & Appliance vulnerable
2015-01-29: QFabric Director and Firefly Host/vGW vulnerable but not exploitable
2015-01-29: SBR Carrier does not include glibc in the install package
2015-01-29: Clarified general mitigation
2015-01-30: Added NVD URL
2015-01-30: Included statements on JSA and STRM
2015-02-04: Added WX/WCS and Media Flow Controller
2015-02-06: JUNOSe uses glibc libraries, but may only be vulnerable via CLI
2015-02-06: Updated Space ETA
2015-02-11: Added WLAN Product Series
2015-02-12: JWAS not vulnerable.  ADC and DDoS Secure under investigation.
2015-02-12: WX/WXC not vulnerable.
2015-02-13: JUNOSe not vulnerable.
2015-02-17: WLA and WLC not vulnerable.  WLM and SmartPass under investigation.
2015-02-20: MFC and ADC vulnerable and resolved in software.
2015-02-23: Updated Space patch ETA to end of February.
2015-02-26: Provided pointer to Junos Space patch and provided instructions.
2015-03-10: Included solution for STRM, JSA series.
2015-03-11: Added fixed releases for CTPView and CTPOS.
2015-03-13: Added fixed releases for SRC.
2015-03-18: Added ISO and RPM fixes for NSMXpress.
2015-03-23: Clarified Junos Space patch process.
2015-04-03: WLAN products not vulnerable.
2015-04-10: Fixes for CTPOS moved to 6.6R5 and 7.0R4 due to unrelated issues with prior releases.
2015-07-14: Clarified fixupgrade.sh usage for Junos Space.
2017-03-05: Category restructure.

Related Links:
CVSS Score:
7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
Risk Level:
High
Risk Assessment:
Information for how Juniper Networks uses CVSS can be found at KB 16446 "Common Vulnerability Scoring System (CVSS) and Juniper's Security Advisories."
Acknowledgements: