glibc GHOST vulnerability in OneSpan products

Advisory ID vasco-sa-20150202-ghost

Revision number 1.0

Date of Release February 04, 2015 01:50 PM UTC+1

Last update February 04, 2015 01:50 PM UTC+1

Summary

On January 27, 2015, security researchers from Qualys publicly announced a vulnerability in the GNU C library, known as glibc. The vulnerability, which is commonly referred to as GHOST, may allow an unauthenticated, local or remote attacker to take control of systems. The first vulnerable version of the GNU C Library is glibc-2.2, released on November 10, 2000.

Impacted Products

Following products are affected by the GHOST vulnerability:

  • IDENTIKEY Federation Server 1.4, 1.5
  • IDENTIKEY Appliance (all versions)
  • aXsGUARD Gatekeeper (all versions)

Description

The GNU C library glibc is the implementation of the standard library of the C programming language by the GNU Project. The C standard library provides basic functions for interaction with operating system services, input/output processing, memory allocation, and other types of functions.

The GNU C library contains a function named __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2()functions. The two latter functions allow applications to resolve DNS queries.

The function __nss_hostname_digits_dots() contains a heap-based buffer overflow. A local or remote attacker can use this vulnerability to execute arbitrary code with the permissions of the user running the application.

However, the functions gethostbyname() and gethostbyname2() have been deprecated for approximately fifteen years, mainly because of lack of support of IPv6.

The vulnerability is commonly referred to as GHOST, and has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2015-0235.

Severity Score

The table below denotes the CVSS 2.0 vulnerability score of the various vulnerabilities.
 

CVSS Base Score: 10.0

Access Vector

Access Complexity

Authentication Confidentiality Impact Integrity Impact Availability Impact
Network Low None Complete Complete Complete

 

Product Fixes

OneSpan will release following patches:

  • IDENTIKEY Federation Server 1.4.5 and 1.5.4 on February 6th 2015
  • IDENTIKEY Appliance 3.8.9.0 in April 2015
  • For aXsGUARD Gatekeeper 8.1.0: Hotfix 001 on February 6th 2015

OneSpan recommends customers using IDENTIKEY Authentication Server 3.4 SR1 and 3.5 to upgrade to version 3.6. OneSpan recommends customers using IDENTIKEY Authentication Server 3.6 to update the glibc library using the update system of their distribution.

Location

For aXsGUARD Gatekeeper products:

OneSpan will deploy patches via the automated update service. Customers that do not allow their system to receive updated via this service should contact OneSpan for instructions about how to obtain the patch.

For other products

Customers with a maintenance contract can obtain fixed product releases from MyMaintenance. Customers without a maintenance contract should contact their local sales representative.

Reference

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235

Legal Disclaimer

WHILE EVERY REASONABLE EFFORT IS MADE TO PROCESS AND PROVIDE INFORMATION THAT IS ACCURATE, ALL THE CONTENT AND INFORMATION IN THIS DOCUMENT ARE PROVIDED "AS IS" AND “AS AVAILABLE,” WITHOUT ANY REPRESENTATION OR ENDORSEMENT AND WITHOUT ANY EXPRESS OR IMPLIED GUARANTEE OF CURRENCY, COMPLETENESS OR SUITABILITY, OR ANY WARRANTY INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE OR PURPOSE. YOUR USE OF THIS DOCUMENT, ANY INFORMATION PROVIDED, OR OF MATERIALS LINKED FROM THIS DOCUMENT IS AT YOUR OWN RISK. VASCO RESERVES THE RIGHT TO CHANGE OR UPDATE THE INFORMATION IN THIS DOCUMENT AT ANY TIME AND AT ITS DISCRETION, AS AND WHEN NEW OR ADDITIONAL INFORMATION BECOMES AVAILABLE.

Copyright © 2015 VASCO Data Security, Inc., VASCO Data Security International GmbH. All rights reserved.

🖨 glibc GHOST vulnerability in OneSpan products