2015-01 Out of Cycle Security Bulletin: GHOST glibc gethostbyname() buffer overflow vulnerability (CVE-2015-0235)

Product Affected:Please see the list in the Problem section below.

Problem:On January 27, 2015, Qualys announced the GHOST vulnerability:https://community.qualys.com/blogs/laws-of-vulnerabilities/2015/01/27/the-ghost-vulnerabilityThe GHOST vulnerability is a serious weakness in the Linux glibc library. It allows attackers to remotely take complete control of the victim system without having any prior knowledge of system credentials.Vulnerable ProductsJunos SpaceCTPViewCTPProducts Not VulnerableJunos – Junos OS does not use the glibc library.Products Under InvestigationQFabric DirectorJUNOSeNetScreen ISG/SSG firewallsIDP-SASRCFirefly Host/vGWNSM server and NSM3000/NSMXpress applianceFor information regarding Pulse Secure products, please refer to TSB16618 for the latest information.Juniper is continuing to investigate our product portfolio for affected software that is not mentioned above. As new information becomes available this document will be updated. This issue has been assigned CVE-2015-0235.

Solution:NetScreen ISG/SSG firewalls:PR 1060010 has been logged to investigate whether this issue affects ScreenOS.IDP-SA:PR 1060071 has been logged to investigate whether this issue affects IDP-OS.CTPView:PR 1060060 has been logged to resolve this issue in CTPView.Junos Space:PR 1060102 has been logged to resolve this issue.IDP Anomaly:The IDP anomaly ​SMTP:OVERFLOW:COMMAND-LINE should cover the known SMTP variant of this vulnerability. For easy attack lookup, the Signatures team has linked CVE-2015-0235 as a reference to this anomaly and also made it part of the recommended policy. All these changes will be reflected in the next signature pack which is scheduled to release on 29-Jan-2015 at 12:00 PST.

Workaround:General Mitigation:The affected gethostbyname() functions are primarily called in response to references to DNS host names and addresses from the CLI.  ​Use access lists or firewall filters to limit access to networking eqiupment via CLI only from trusted hosts.  Other attack vectors are still being researched.In addition to the recommendations listed above, it is good security practice to limit the exploitable attack surface of critical infrastructure networking equipment. Use access lists or firewall filters to limit all administrative access to networking equipment only from trusted, administrative networks or hosts.

Implementation:Modification History: 2015-01-28: Initial publication

Related Links: CVSS Score:7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)

Risk Level:High

Risk Assessment:Information for how Juniper Networks uses CVSS can be found at KB 16446 “Common Vulnerability Scoring System (CVSS) and Juniper’s Security Advisories.”


Leave a Reply