8 things physical security pros need to know about the 'Ghost' vulnerability

Feb. 11, 2015
Numerous security hardware systems run on the Linux operating system affected by the flaw

Cyber attacks continue to escalate.  We experienced an increase in 2014 over 2013 and we do not see a reduction in sight.  Most physical security systems are now connected to the internet for remote access, support, and maintenance or they are connected to the local network which in turn is connected to the internet.  It’s becoming apparent and critical that physical security systems get the same level of attention to cyber security vulnerabilities that have been given to traditional IT systems.

It is vital for physical security integrators, and internal support staff to stay up-to-date on cyber security attack vectors which can potentially impact the physical security systems they sell or support.

“Ghost” is a critical exploit impacting Linux distributions which was announced in late January. Below is a snapshot of relevant information surrounding it.

  1. The Ghost vulnerability (CVE-2015-0235) allows hackers to take control of systems remotely without knowing the system IDs or passwords. It is named “Ghost” because it can be triggered via the gethost function.
  2. Ghost was rated a 10 out of 10 severity level by The National Vulnerability Database. (Shellshock was rated a 10, and Heartbleed was rated a 5). Ghost was also rated low complexity, which means it can be easily executed.
  3. Ghost is a weakness in the Linux glibc library. The first vulnerable Linux glibc version was released in 2000, and fix code was originally created on May 21, 2013. However because this was not recognized as a security threat in 2013, the majority of Linux versions used in production were not upgraded and so remain unprotected.
  4. The Ghost vulnerability impacts almost all major Linux distributions, except a few such as Ubuntu 14.04. Millions of servers on the Internet contain this vulnerability.
  5. No user interaction is required to trigger a potential attack, according to Qualsys, which tested the vulnerability by sending an email to a mail server and obtaining a remote shell to the target Linux machine.
  6. The damage from a possible attack depends on many factors including your deployment and configuration.  If your vulnerable systems are isolated from the internet, and you do not store passwords and SSH private keys on any affected servers, then your risk might be contained.  However, with complex IT systems, interconnections, and virtual servers, it is challenging to know all the possible interconnections.  It is therefore strongly recommended that you patch any and all servers that are vulnerable.
  7. Many physical security hardware systems (NVRs, DVRs, appliances), run on the Linux operating systems. If your vendor has not notified you with regard to the Ghost vulnerability, you can contact them to learn if you are exposed and for guidance on how to fix any vulnerabilities. If your VMS is a software solution, you may not be able to get help from the vendor, but should take this vulnerability very seriously. If you are using a software VMS on Linux you need to examine your OS and patch it immediately if affected. If you have a true cloud-based system, the vendor should have directly taken care of any security issues surrounding this vulnerability, and no action should be required on your part.
  8. If you need to install a patch, it is important to patch all impacted servers. Patches were released by Linux distributors and posted on January 27, 2015.  You should install these patches immediately.  Once you have patched your system, the affected server should be rebooted. 

About the Author: Dean Drako is president and CEO of Eagle Eye Networks. He founded Eagle Eye Networks in 2012 and led it to be the first cloud-based video surveillance company to provide both cloud and on-premise recording. Previously, as founder, president and CEO of Barracuda Networks, Dean created the industry’s first email security appliance in 2003 and subsequently grew the company to more than 140 products, 150,000 customers and approximately 1000 employees. Dean received his BSEE from the University of Michigan, Ann Arbor and MSEE from the University of California, Berkeley. Goldman Sachs named Dean as one of the “100 Most Intriguing Entrepreneurs of 2014.”