Last week a new rather scary and serious vulnerability appeared effecting most Linux systems, nicknamed GHOST because while it relates to glibc library it specifically can be targeted through getHostName used by many high level programming languages including PHP. If this is the first you heard of this, and you manage a Linux server go update glibc we will wait!
So if it’s a buffer overflow attack what does it have to do with WordPress? Why would turning XML-RPC off help? and why is half the WordPress community saying it’s not fair?
So glibc is used to handle some DNS related functions within Linux systems and some languages like PHP in particular getHostGyName which takes a domain name and returns an IP4 address. So using a well crafted fake domain name it’s possible to get the function to return more then it’s meant to. As most programmers won’t be double checking what’s coming out of the function this provides a good attack vector. Now gethostbyname() PHP function is pretty common, it’s probably used in ever major php application going somewhere, though to be fully exploitable it does need a specific set of circumstances. Want to take a guess where one such set is?
Yep WordPress XML-RPC implementation, has just the right combination of circumstances to mean it can be used to leverage this exploit. Let’s be clear the way the library is coded is not itself a vulnerability and WordPress is not vulnerable, rather it’s being used to get to the exploitable code. Also it’s important to remember it’s not alone there could be thousands of other applications with this issue.
So why pick on WordPress?
It powers 23% of the Web, so if you were going to exploit GHOST what better way then to go through WordPress. The link therefore is due to it’s popularity and circumstances within the code WordPress is a good way to leverage GHOST.
So what should you do?
Simple update glibc Library right now, if you are not in a position to do that, for example you are on shared hosting then, ask your host have they done it. If they can’t, won’t then consider moving, it’s a consumer market use your feet and get out while you can.
So if the answer is to update, why do people say turn of XML-RPC?
Turning off XML-RPC will NOT solve the problem, it may mitigate a single attack vector, but what about plugins using gethostbyname or other applications, they will still be vulnerable. switching off XML-RPC simply closes one door, it doesn’t fix the issue, the fix is to update the library.
Also XML-RPC is useful, and you may well use it day in day out and not know, so switching it off may have an effect on you and your users. Think very carefully before turning XML-RPC off, and if you do that doesn’t mean you don’t need to either update the library or move hosts.
So then why is the WordPress community upset?
Well they think WordPress has been singled out for an issue that is beyond their control and they are unable to fix. WordPress has battled hard to get rid of a stigma that has at times been unfairly applied to it saying it’s insecure. So to have article after article refer to WordPress in relation to GHOST with few truly explaining this is an issue beyond WordPress its easy to see why it’s rubbing people up the wrong way. Unfortunately this is one of those times WordPress popularity is biting it on the ass, and while some headlines are sensationalist, there is no getting past WordPress is a proven way to exploit GHOST.
Whats the solution, get people to upgrade the library and not try to fix WordPress.
Further Reading
Couple of half decent articles and explanations
- Qualys Original Explanation and Announcement
- GHOST what you need to know by Sophos
- Sucuri Explanation and WordPress exploit example.