000029576 - RSA Authentication Manager and CVE-2015-0235 - GHOST - gethostbyname() - False Positive

Document created by RSA Customer Support Employee on Jun 14, 2016Last modified by RSA Customer Support Employee on Jun 16, 2016
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000029576
Applies ToRSA Authentication Manager Express 1.0
RSA Authentication Manager Appliance 3.0.4
RSA Authentication Manager 8.1.1 (and earlier)
OSrPath Linux

SUSE Linux Entrprise Server - SLES 11.3
CVE IDCVE-2015-0235
Scanning Tool and VersionNot identified by scan (but could be in the future).
Article SummaryInformation about the impact of CVE-2015-0235 in several versions of AM. This KB was created in response to a request to provide a Security KB article with additional details.
Link to AdvisoriesDescription of the issue from Qualys
Additional info in security mailing list
Alert ImpactNot Exploitable
Technical DetailsThe flaw exists but it is not exploitable
Technical Details Explanation

Description (from the National Vulnerability Database (NVD)):

Heap-based buffer overflow in the __nss_hostname_digits_dots function in glibc 2.2, and other 2.x versions before 2.18, allows context-dependent attackers to execute arbitrary code via vectors related to the (1) gethostbyname or (2) gethostbyname2 function, aka "GHOST."

CVSS v2 Base Score: 10.0 (HIGH)



Response: The flaw exists but is not exploitable

The description of the issue (as provided by the discoverer) points out that the vulnerability has a number of specific requirements in addition to the presence of the vulnerable library and these requirements are not available through any interface of the AM or AMX appliance.

The issue is a buffer overflow which occurs in __nss_hostname_digits_dots overwriting up to 4 bytes on 32-bit systems and 8 bytes on 64 bit-systems.  Originally fixed on May 21, 2013, it was not considered a security threat and the fix was not included most stable and long-term-support Linux distributions.
The vulnerability is exploited by passing a special crafted hostname to an
interface which performs hostname to ip resolution with gethostbyname().
In order to reach the overflow, the hostname argument must
meet the following requirements:
  • Its first character must be a digit
  • Its last character must not be a dot
  • It must be comprised of only digits and dots
  • It must be long enough to overflow the buffer (For example, the non-reentrant gethostbyname*() functions initially allocate their buffer with a call to malloc(1024) (the "1-KB" requirement).
  • It must be successfully parsed as an IPv4 address by inet_aton(), and so cannot be an AF_INET6 resolution and there are limits to the values ... the hostname must have one of the following forms: "a.b.c.d", "a.b.c", "a.b", or "a", where a, b, c, d must be unsigned integers, at most 0xfffffffful, converted successfully (ie, no integer overflow) by strtoul().
It is not possible to perform this exploit in the RSA Authentication Manager since they are handled internally in Java classes (such as InetAddress) which validate and transform the hostnames and resolve via getByName and DNSNameService (not through the c library gethostbyname()).  Even in interfaces which pass arguments to operating system tools (such as the Operations Console Networking Tools which invokes commands such as “ping” or “NSLookup”) AM will validate the arguments passed to the commands and does not allow hostname values longer than 256 bytes.



Read and use the information in this RSA Security Advisory to assist in avoiding any situation that might arise from the problems described herein. If you have any questions regarding this product alert, contact RSA Software Technical Support at 1- 800 995 5095. RSA Corporation distributes RSA Security Advisories, in order to bring to the attention of users of the affected RSA products, important security information. RSA recommends that all users determine the applicability of this information to their individual situations and take appropriate action. The information set forth herein is provided 'as is' without warranty of any kind. RSA disclaims all warranties, either express or implied, including the warranties of merchantability, fitness for a particular purpose, title and non-infringement. In no event, shall RSA or its suppliers, be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if RSA or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages, so the foregoing limitation may not apply.