Ghost Vulnerability (CVE-2015-0235)
A serious vulnerability has been identified in code used by the gethostbyname() functions within glibc. Exploitation of this vulnerability could cause an application to crash or allow execution of arbitrary code. The bug was introduced in glibc-2.2 and was eliminated in glibc-2.18. However, many Linux distributions use one of these versions of glibc.
The vulnerability may be exploitable remotely via networked applications that use the long-deprecated gethostbyname() functions. Fortunately, most software uses the getaddrinfo() functions which are not affected. This vulnerability is also known as “Ghost” and is being tracked as CVE-2015-0235. Red Hat has rated it with a CVSS score of 6.8.
At this time, only a small number of older applications are known to be susceptible via remote attack. Because the details of the vulnerability are publicly known, it is likely that attacks against other applications will be developed.
Currently Mitel assesses the Ghost vulnerability to be a either a moderate or low risk for affected products. Exploitation could lead to applications crashing or execution of injected code. Systems at the edge of a network, such as the MBG, are at greater risk. However, the threat of exploitation is relatively low at this time. This may change as new attack vectors are identified.
Mitel is investigating its entire portfolio to determine what systems may be affected and assess the risk to our customers’ systems. Where possible, Mitel plans to issue patches to replace the vulnerable version of glibc. Where patching is not possible, Mitel will recommend other measures to reduce the risk to customers.