“GHOST” glibc vulnerability
| Advisory ID | CVE Number | Date discovered | Severity | Advisory revision |
|---|---|---|---|---|
| STORM-2015-001 | CVE-2015-0235 | 01/27/2015 | high | v2 |
Vulnerability details
A vulnerability has been disclosed in GNU C Library – glibc. Its exploitation could lead to remote code execution.
The general use of the GNU C Library makes this vulnerability widely spread. The vulnerability lies in gethostbyname(3) and gethostbyname2(3) functions. Consequently, any software using these functions may be vulnerable too.
Nevertheless, these attack vectors are very difficult to exploit because they are totally specific to each software.
Impacted products
| Products | Severity | Detail |
|---|---|---|
| Fast360 | high | The product embeds a vulnerable version of glibc. |
Revisions
| Version | Date | Description |
|---|---|---|
| v1 | 02/02/2015 | Initial release |
| v2 | 02/26/2015 | Patch version released |
Fast360 |
CVSS v2 Overall Score: 8.2
|
Analysis |
Impacted version |
|
Arkoon Fast360 products embed a vulnerable version of the glibc. Thus, any software in Arkoon Fast360 products using the vulnerable functions gethostbyname(3) and gethostbyname2(3) may be vulnerable to a buffer overflow. Nevertheless, there is currently no known attack vector allowing the successful exploitation of this vulnerability on Fast360 appliances. Consequently, the exploitation of this vulnerability may require large skill set as the attacker would have to develop a custom attack. |
|
Workaround solution |
Solution |
|
There is no workaround solution. |
5.0/33 and 6.0/7 updates fix this vulnerability. You are strongly advised to update your appliances. |
| Access vector | Access complexity | Authentication | Confidentiality impact | Integrity impact | Availability impact |
|---|---|---|---|---|---|
| Network | High | None | Complete | Complete | Complete |
| CVSS Base score: 7.6 | CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C) |
| Exploitability | Remediation Level | Report Confidence |
|---|---|---|
| Unproven that exploit exists | Unavailable | Confirmed |
| CVSS Temporal score: 6.5 | CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C/E:U/RL:U/RC:C) |
| Collateral Damage Potential | Target Distribution |
|---|---|
| High | High [76-100%] |
| CVSS Environmental score: 8.2 | CVSS Vector: (AV:N/AC:H/Au:N/C:C/I:C/A:C/E:U/RL:U/RC:C/CDP:H/TD:H/CR:ND/IR:ND/AR:ND) |