Advisory ID vasco-sa-20150202-ghost
Revision number 1.0
Date of Release February 04, 2015 01:50 PM UTC+1
Last update February 04, 2015 01:50 PM UTC+1
On January 27, 2015, security researchers from Qualys publicly announced a vulnerability in the GNU C library, known as glibc. The vulnerability, which is commonly referred to as GHOST, may allow an unauthenticated, local or remote attacker to take control of systems. The first vulnerable version of the GNU C Library is glibc-2.2, released on November 10, 2000.
Following products are affected by the GHOST vulnerability:
- IDENTIKEY Federation Server 1.4, 1.5
- IDENTIKEY Appliance (all versions)
- aXsGUARD Gatekeeper (all versions)
The GNU C library glibc is the implementation of the standard library of the C programming language by the GNU Project. The C standard library provides basic functions for interaction with operating system services, input/output processing, memory allocation, and other types of functions.
The GNU C library contains a function named __nss_hostname_digits_dots(), which is used by the gethostbyname() and gethostbyname2()functions. The two latter functions allow applications to resolve DNS queries.
The function __nss_hostname_digits_dots() contains a heap-based buffer overflow. A local or remote attacker can use this vulnerability to execute arbitrary code with the permissions of the user running the application.
However, the functions gethostbyname() and gethostbyname2() have been deprecated for approximately fifteen years, mainly because of lack of support of IPv6.
The vulnerability is commonly referred to as GHOST, and has been assigned the Common Vulnerabilities and Exposures (CVE) ID CVE-2015-0235.
The table below denotes the CVSS 2.0 vulnerability score of the various vulnerabilities.
CVSS Base Score: 10.0
|Authentication||Confidentiality Impact||Integrity Impact||Availability Impact|
OneSpan will release following patches:
- IDENTIKEY Federation Server 1.4.5 and 1.5.4 on February 6th 2015
- IDENTIKEY Appliance 188.8.131.52 in April 2015
- For aXsGUARD Gatekeeper 8.1.0: Hotfix 001 on February 6th 2015
OneSpan recommends customers using IDENTIKEY Authentication Server 3.4 SR1 and 3.5 to upgrade to version 3.6. OneSpan recommends customers using IDENTIKEY Authentication Server 3.6 to update the glibc library using the update system of their distribution.
For aXsGUARD Gatekeeper products:
OneSpan will deploy patches via the automated update service. Customers that do not allow their system to receive updated via this service should contact OneSpan for instructions about how to obtain the patch.
For other products
Customers with a maintenance contract can obtain fixed product releases from MyMaintenance. Customers without a maintenance contract should contact their local sales representative.
WHILE EVERY REASONABLE EFFORT IS MADE TO PROCESS AND PROVIDE INFORMATION THAT IS ACCURATE, ALL THE CONTENT AND INFORMATION IN THIS DOCUMENT ARE PROVIDED "AS IS" AND “AS AVAILABLE,” WITHOUT ANY REPRESENTATION OR ENDORSEMENT AND WITHOUT ANY EXPRESS OR IMPLIED GUARANTEE OF CURRENCY, COMPLETENESS OR SUITABILITY, OR ANY WARRANTY INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE OR PURPOSE. YOUR USE OF THIS DOCUMENT, ANY INFORMATION PROVIDED, OR OF MATERIALS LINKED FROM THIS DOCUMENT IS AT YOUR OWN RISK. VASCO RESERVES THE RIGHT TO CHANGE OR UPDATE THE INFORMATION IN THIS DOCUMENT AT ANY TIME AND AT ITS DISCRETION, AS AND WHEN NEW OR ADDITIONAL INFORMATION BECOMES AVAILABLE.
Copyright © 2015 VASCO Data Security, Inc., VASCO Data Security International GmbH. All rights reserved.