CVE-2015-0235 GHOST Vulnerability

paulaust
New Contributor

Has anyone gotten any good information back on this one yet. Apple has given me the typical response of "no comment".

7 REPLIES 7

kilodelta
New Contributor III

Obviously, we'll want to wait for Apple to confirm or deny with full detail, but I think Mac OS X is mostly safe.

As far as I can tell, Apple doesn't include the GNU C Library in Mac OS X by default - and why would they? If you're writing a Mac OS X app, you ought to be using Cocoa APIs, writing in Swift, or maybe Carbon if you're dealing with old code and don't care about x64 support, Grand Central Dispatch, etc. Obviously, an app could include the library for it's own use (especially if it's cross platform) and that could certainly be an issue, but those are one off cases. Mac OS X, at it's core, doesn't need the functions in GlibC because the've been implemented elsewhere in different APIs written by Apple.

To confirm my suspicions, I tried compiling the sample test cost published with the vulnerability (https://webshare.uchicago.edu/orgs/ITServices/itsec/Downloads/GHOST.c), and it failed because the vulnerable function in GlobC (gethostbyname_r) isn't available on Mac OS X - or, at least, it's not part of the libraries included with XCode:

$ gcc -v -o GHOST GHOST.c
Apple LLVM version 6.0 (clang-600.0.54) (based on LLVM 3.5svn)
Target: x86_64-apple-darwin14.1.0
Thread model: posix
 "/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/clang" -cc1 -triple x86_64-apple-macosx10.10.0 -emit-obj -mrelax-all -disable-free -disable-llvm-verifier -main-file-name GHOST.c -mrelocation-model pic -pic-level 2 -mdisable-fp-elim -masm-verbose -munwind-tables -target-cpu core2 -target-linker-version 241.9 -v -resource-dir /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0 -isysroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.10.sdk -fdebug-compilation-dir /Users/wgreen/tmp -ferror-limit 19 -fmessage-length 173 -stack-protector 1 -mstackrealign -fblocks -fobjc-runtime=macosx-10.10.0 -fencode-extended-block-signature -fdiagnostics-show-option -fcolor-diagnostics -vectorize-slp -o /var/folders/6k/vt65mj_165jg2_b8d45p47tmtbg8rp/T/GHOST-d795b8.o -x c GHOST.c
clang -cc1 version 6.0 based upon LLVM 3.5svn default target x86_64-apple-darwin14.1.0
ignoring nonexistent directory "/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.10.sdk/usr/local/include"
ignoring nonexistent directory "/Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.10.sdk/Library/Frameworks"
#include "..." search starts here:
#include <...> search starts here:
 /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/include
 /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/include
 /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.10.sdk/usr/include
 /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.10.sdk/System/Library/Frameworks (framework directory)
End of search list.
GHOST.c:32:12: warning: implicit declaration of function 'gethostbyname_r' is invalid in C99 [-Wimplicit-function-declaration]
  retval = gethostbyname_r(name, &resbuf, temp.buffer, sizeof(temp.buffer), &result, &herrno);
           ^
1 warning generated.
 "/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/ld" -demangle -dynamic -arch x86_64 -macosx_version_min 10.10.0 -syslibroot /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX10.10.sdk -o GHOST /var/folders/6k/vt65mj_165jg2_b8d45p47tmtbg8rp/T/GHOST-d795b8.o -lSystem /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/../lib/clang/6.0/lib/darwin/libclang_rt.osx.a
Undefined symbols for architecture x86_64:
  "_gethostbyname_r", referenced from:
      _main in GHOST-d795b8.o
ld: symbol(s) not found for architecture x86_64
clang: error: linker command failed with exit code 1 (use -v to see invocation)

mm2270
Legendary Contributor II

Agreed. Everything I was just able to pull up on this indicates RedHat as the OS affected, not OS X. If and until OS X is listed as an affected OS, why worry about it?

kilodelta
New Contributor III

To be clear, it's any Linux OS that includes the vulnerable versions of the GNU C Library. Ubuntu Linux server versions 10.04LTS and 12.04LTS are affected, for example, as are multiple versions of RHEL or CentOS. That has implications for those of us running our JSS' or JDS' on Linux, or NetSUS appliances - so us Admins still have some footwork to do, but it's not as widespread as Shellshock is/was.

mm2270
Legendary Contributor II

True. JAMF may actually want to chime in on this since they distribute Ubuntu as part of their NetSUS product, and of course as you state, anyone running their JSS instance on a Linux distribution will also want to keep an eye on this. I wasn't trying to dismiss this as a complete non-issue, but I don't know (yet) that Apple has to provide any comment on it. OS X ? Linux strictly speaking, so just because it affects Linux doesn't mean OS X is also affected.

paulaust
New Contributor

I opened a support ticket with JAMF, but haven't heard back from them yet. As soon as I do, I will post the results. Just covering my bases here.

jason_vanzanten
New Contributor III

It looks like the GHOST vulnerability (CVE-2015-0235) only affects Linux distributions that include a vulnerable version of GNU C Library (glibc).

@mm2270: NetBoot/SUS Appliance OVA version 3.0 or earlier is shipped with a potentially vulnerable version of Ubuntu:
- NetBoot/SUS Appliance OVA v2.0 & v3.0 - Ubuntu 12.04 LTS
- NetBoot/SUS Appliance OVA v1.01 & v1.02 - Ubuntu 10.04 LTS

If you are using a potentially vulnerable version of the NetBoot/SUS Appliance OVA it is recommended to either:

  1. Upgrade to NetBoot/SUS Appliance OVA version 3.01 or later, which ships with Ubuntu 14.04 LTS: https://jamfnation.jamfsoftware.com/viewProduct.html?id=180&view=info OR
  2. Follow vendor recommendations for updating glibc (links below).

The following are some links to external resources with additional details:

Qualys blog/research report
- https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerability
- https://www.qualys.com/research/security-advisories/GHOST-CVE-2015-0235.txt
- http://seclists.org/oss-sec/2015/q1/274

CVE listings
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235

External blogs
- Cisco - http://blogs.cisco.com/security/talos/ghost-glibc
- Tenable Network Security - http://www.tenable.com/blog/tenable-responds-to-cve-2015-0235-ghost-updated

RedHat
- https://access.redhat.com/articles/1332213
- https://access.redhat.com/security/cve/CVE-2015-0235
- https://rhn.redhat.com/errata/RHSA-2015-0090.html
- https://rhn.redhat.com/errata/RHSA-2015-0092.html
- https://rhn.redhat.com/errata/RHSA-2015-0099.html

Ubuntu
- http://www.ubuntu.com/usn/usn-2485-1/
- https://wiki.ubuntu.com/SecurityTeam/KnowledgeBase/GHOST
- http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-0235.html

jarednichols
Honored Contributor

OS X and iOS are BSD-based and utilize libc, not glibc.