vn-2015-001 – “ghost” – cve-2015-0235

VN-2015-001 – “GHOST” – CVE-2015-0235
Extreme Networks Software
SUMMARY
PRODUCTS POTENTIALLY AFFECTED
A serious vulnerability has been discovered in two
legacy functions that are related to DNS resolution in
glibc. Due to the fact that glibc is a fundamental OS
component used by many pieces of userland software,
this vulnerability is a high priority for remediation.
Here is the vulnerability status of the software products supported by Extreme
Networks for this issue:












BACKGROUND (From the CVE Project)
There is a heap-based buffer overflow in the
__nss_hostname_digits_dots function in glibc 2.2, and
other 2.x versions before 2.18. This allows contextdependent attackers to execute arbitrary code via
vectors related to the (1) gethostbyname or (2)
gethostbyname2 function, aka "GHOST.”
Published: 2015-01-27
CVSS Severity: 10 (from NVD/NIST)
The following software, and software supported
products by Extreme Networks will be analyzed for this
vulnerability:
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
ExtremeXOS
X-Series Secure Core Router
N, K, SSA, and S Modular Switches
A, B, C, D, G, I & 800 Series Fixed Switches
NetSight / NAC (IA) / Purview
Ridgeline
IDS/IPS
Security Information & Event Manager
IdentiFi Wireless
Wireless Mobility
XSR (X-Pedition Security Router)
ExtremeWare
Note: To our knowledge, no other Extreme products (including the
Enterasys-branded products) have been determined to be vulnerable at this
time.
IMPACT DETAILS
The Impact Details will be listed using the following format:
a.
Vulnerable – Yes / No / Investigating
b.
Vulnerable Component
c.
Conditions when component vulnerability occurs
d.
Product version affected
e.
Workaround
f.
Target Fix Release
g.
Target Fix Timeframe
ExtremeXOS (all products):
a.
IMPACT
Because DNS resolution is an extremely common
function performed by many pieces of software, and
because glibc is commonly involved to perform these
resolutions, this vulnerability has a high impact across
all systems and software the leverage a vulnerable
version of glibc. Successfully exploitation would give an
attacker full remote code execution with the context of
the exploited process.
NOTE: Information in RED, denotes new updated
information since the last revision of this notice.
ExtremeXOS – Investigating
X-Series Secure Core Router – Investigating
N, K, SSA, and S Modular Switches – Investigating
A, B, C, D, G, I & 800 Series Fixed Switches – No
NetSight/NAC(IA)/ Purview – Yes
Ridgeline – No
IDS/IPS – Yes
Security Information & Event Manager – Investigating
IdentiFi Wireless – Yes (See product list)
Wireless Mobility versions WM 5.5.X – Investigating
XSR (X-Pedition Security Router) – No
ExtremeWare – No
Vulnerable: Investigating
X-Series Secure Core Router
a.
Vulnerable: Investigating
N, K, SSA, and S Modular Switches
a) Vulnerable: Investigating
A, B, C, D, G, I & 800 Series Fixed Switches
a.
Vulnerable: No All A,B,C,D,G,I Series Devices do not use Linux
NetSight /NAC (IA)/ Purview:
a.
Vulnerable: Yes
b.
Vulnerable Component: glibc library on 32-bit and 64-bit NetSight appliances
c.
Describe conditions when component Vulnerability occurs (why/when/how):
Some components of NetSight make a call to the vulnerable function of the
glibc library. It is not known how a compromise could be achieve, or if it
could be achieved, but it is at least possible in theory.
d.
Product version(s) affected: All NetSight Appliances
e.
Workaround: There is not one currently.
f.
Target Fix Release: TBD
g.
Target Month for Fix Release: TBD
©2015 Extreme Networks, Inc. All rights reserved. Extreme Networks, the Extreme Networks logo, and other trademarks listed in this document, marked with an asterisk (*), are trademarks or
registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme
Networks Trademarks, please see http://www.extremenetworks.com/company/legal/trademarks. Specifications and product availability are subject to change without notice.
Document No. / Revision: VN-2015-001 / Rev 01
Effective Date: 1/29/2015 / Owner: Serviceability
VN-2015-001 – “GHOST” – CVE-2015-0235
Extreme Networks Software
IMPACT DETAILS – Continued
Ridgeline:
Vulnerable: No - The OS is not provided with Ridgeline, it’s a software only solution.
IDS / IPS:
a.
Vulnerable: Yes
b.
Vulnerable Component: glibc library on 32-bit and 64-bit Dragon appliances
c.
Describe conditions when component Vulnerability occurs (why/when/how): Some components of Dragon make a call to the vulnerable function of the
glibc library.
d.
It is not known how a compromise could be achieve, or if it could be achieved, but it is at least possible in theory.
e.
Product version(s) affected: All Dragon Appliances
f.
Workaround: There is not one currently.
g.
Target Fix Release: TBD
h.
Target Month for Fix Release: TBD
Security Information & Event Manager:
a.
Vulnerable: No (Product does not use any version of glibc)
b.
Vulnerable Component: None
c.
Describe conditions when component Vulnerability occurs(why/when/how): None
d.
Product version(s) affected: None
e.
Workaround: NA
f.
Target Fix Release: None
g.
Target Month for Fix Release: NA
IdentiFi Wireless: IdentiFi controller:
a.
Vulnerable: Yes
b.
Vulnerable Component: glibc based components including Python
c.
Product version(s) affected: all releases between 3.0 and 9.15.0 inclusive
d.
Workaround: Risk of successful exploit is low. The controller only accepts hostnames and FQDNs in a limited number of commands and GUI options
and the input is checked to enforce length limits and valid characters for host names. Qualys has provided a list of applications that are not vulnerable
when running on versions of Linux with the vulnerable glibc version. The list includes most of the third party Open source software used for remote
access to the controller and APs. In addition the controller has few places where a host name or FQDN can be entered or used. So risk of a successful
exploit is likely low.
e.
Target Fix Release: 9.21
f.
Target Month for Fix Release: June 2015 (optional)
Wireless Mobility:
Controller & Access Points:
a.
Vulnerable: Investigating
XSR (X-Pedition Security Router):
a.
Vulnerable: No
ExtremeWare (all products):
a.
Vulnerable: No - Extremeware (VxWorks based) doesn't use glibc
©2015 Extreme Networks, Inc. All rights reserved. Extreme Networks, the Extreme Networks logo, and other trademarks listed in this document, marked with an asterisk (*), are trademarks or
registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme
Networks Trademarks, please see http://www.extremenetworks.com/company/legal/trademarks. Specifications and product availability are subject to change without notice.
Document No. / Revision: VN-2015-001 / Rev 01
Effective Date: 1/29/2015 / Owner: Serviceability
VN-2015-001 – “GHOST” – CVE-2015-0235
Extreme Networks Software
Threat Details
CVE
Name
Impact
Vulnerable
Versions
Client
Server
CVE-2015-0235
Glibc “GHOST” vulnerability
High
All versions prior to
glibc-2.18
High
High
Vulnerability Mitigation
TBD
Repair Recommendations
The resolution to any threat or issue is dependent upon a number of things, including the set-up of the computer network and how the local IT team wants to
address the situation. Accordingly, in addition to updating the software as recommended in this document, the local IT team will need to analyze and address the
situation in a manner that it determines will best address the set-up of its computer network.
Update the software, identified in this Notice, in your Extreme Networks’ products by replacing it with the latest releases from Extreme Networks including the
following version (or above):
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
ExtremeXOS – Investigating
X-Series Secure Core Router – Investigating
N, K, SSA, and S Modular Switches – Investigating
A, B, C, D, G, I & 800 Series Fixed Switches – No
NetSight/NAC(IA)/ Purview – Yes
Ridgeline – No
IDS/IPS – Yes
Security Information & Event Manager – Investigating
IdentiFi Wireless – Yes (See product list)
Wireless Mobility versions WM 5.5.X – Investigating
XSR (X-Pedition Security Router) – No
ExtremeWare – No
Firmware & Software can be downloaded from - http://www.extremenetworks.com/support/
Further Information
NIST release: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-0235
CVE Project: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
Red Hat: https://access.redhat.com/articles/1332213
Qualys Analysis: http://www.openwall.com/lists/oss-security/2015/01/27/9
Legal Notice
THIS ADVISORY NOTICE IS PROVIDED ON AN "AS IS" BASIS AND EXTREME NETWORKS MAKES NO
REPRESENTATIONS OR WARRANTIES OF ANY KIND, EXPRESSLY DISCLAIMING THE WARRANTIES OF
MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. USE OF THE INFORMATION PROVIDED HEREIN OR
MATERIALS LINKED FROM THIS ADVISORY NOTICE IS AT YOUR OWN RISK. EXTREME NETWORKS RESERVES THE
RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME, AND EXPECTS TO UPDATE THIS DOCUMENT AS
NEW INFORMATION BECOMES AVAILABLE. THE INFORMATION PROVIDED HEREIN IS APPLICABLE TO CURRENT
EXTREME NETWORKS’ PRODUCTS IDENTIFIED HEREIN AND IS NOT INTENDED TO BE ANY REPRESENTATION OF
FUTURE FUNCTIONALITY OR COMPATIBILITY WITH ANY 3RD PARTY TECHNOLOGIES REFERENCED HEREIN. THIS
NOTICE SHALL NOT CHANGE ANY CONTRACT OR AGREEMENT THAT YOU HAVE ENTERED INTO WITH EXTREME
NETWORKS.
©2015 Extreme Networks, Inc. All rights reserved. Extreme Networks, the Extreme Networks logo, and other trademarks listed in this document, marked with an asterisk (*), are trademarks or
registered trademarks of Extreme Networks, Inc. in the United States and/or other countries. All other names are the property of their respective owners. For additional information on Extreme
Networks Trademarks, please see http://www.extremenetworks.com/company/legal/trademarks. Specifications and product availability are subject to change without notice.
Document No. / Revision: VN-2015-001 / Rev 01
Effective Date: 1/29/2015 / Owner: Serviceability