Sign in / up

back to article Cisco says GHOST is more Casper than Sleepy Hollow

Cisco has put forward at least a partial response to 2015's first branded bug, GHOST, saying that in The Borg's world, the glibc vulnerability is probably of relatively low severity. That would, at least, explain why it's not being hunted with quite the urgency of something like Heartbleed in 2014: right now, Cisco's advisory …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Anonymous Coward
    Anonymous Coward

    Incorrect

    The problem is that you have MORONs like SnOracle contributors to OpenJDK which have code which has getnameinfo() and getaddrinfo() in it, but ifdefs it to use gethostbyname and gethostbyaddr instead on Linux.

    So instead of having a v4/v6 unified implementation it has a factory which chooses archaic ones using gethost* family functions. All of that while having the correct code inside (it is just ifdef-ed so it is never used on Linux or BSD version >= 6).

    So while Cisco may have moved to the proper functions in all of their C code, they still have a raft of products using Java which do not use the proper function because their underlying interpreter (java) does not. Example - last time I checked Webex used java, right? It also uses the java _ON_ the system, not an alternative JDK which may not be vulnerable (not that it is likely - I bet the code in IPv4AddrImpl.c is the same throughout). So do quite a few other products.

    0 0 Reply
    1. tony2heads
      Reply Icon
      WTF?

      Re: Incorrect

      anyone out there: do they really use code that has been deprecated for more than a decade?

      0 0 Reply
      1. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Re: Incorrect

        anyone out there:

        Not just use it, use it deliberately. Beginning of the file:

        #if defined(__GLIBC__) || (defined(__FreeBSD__) && (__FreeBSD_version >= 601104))

        #define HAS_GLIBC_GETHOSTBY_R 1

        #endif

        From there on they use gethostby* instead of getaddrinfo() or getnameinfo(). getaddr/name are used in the #else part of the #ifdef HAS_GLIBC_GETHOSTBY_R

        Stupidometer, here we come. We shall break though with vengeance by driving you off the scale.

        I have always admired the hubris with which some people get when they speak of Java performance and security. If you read the source it is frankly unwarranted as it is screaming LOUDLY for refactoring, clean up and optimization across the board where it talks to libc (at least as far as the linux variety of libc is concerned).

        0 0 Reply
  2. artbristol

    Unlikely?

    "The other restrictions that had already been identified by Qualys ... are, Cisco says, quite unlikely in any real-world application."

    Yeah I'm sure a hacker wouldn't dream of making up a hostname that fit those restrictions.

    Reminds me of the time I was re-educating a developer on SQL injection, and asked him what would happen if there was a quote in a user-supplier input:

    "Chances are less"

    ... sigh ...

    0 0 Reply
    1. Goobertee
      Reply Icon

      Re: @artbristol - Unlikely?

      /*

      Reminds me of the time I was re-educating a developer on SQL injection, and asked him what would happen if there was a quote in a user-supplier input:

      "Chances are less"

      ... sigh ...

      */

      How many people did it take to get your hands off his throat? Will he ever walk again?

      0 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like