This article is more than 1 year old
Cisco says GHOST is more Casper than Sleepy Hollow
Borg exorcised GHOST years ago when it sent IPv4 to the nether realms
Cisco has put forward at least a partial response to 2015's first branded bug, GHOST, saying that in The Borg's world, the glibc vulnerability is probably of relatively low severity.
That would, at least, explain why it's not being hunted with quite the urgency of something like Heartbleed in 2014: right now, Cisco's advisory states that it hasn't confirmed the vulnerability status of any individual products.
In this blog post, four staffers in Cisco's Talos Group (Nick Biasini, Earl Carter, Alex Chiu and Jaeson Schultz) say the gethostbyname() and gethostbyname2() functions have been deprecated for around 15 years because they couldn't support IPv6.
“The superseding function is getaddrinfo() which … is not affected by this buffer overflow”.
Because of that, a program has to support the deprecated functions to be subject to GHOST.
The other restrictions that had already been identified by Qualys – the hostname has to start with a digit, the last cannot be a dot, and that only digits and dots be used in the hostname – are, Cisco says, quite unlikely in any real-world application.
Cisco says its intrusion prevention system and next generation firewall both include rules that would block attempts to exploit GHOST, and the company will issue an advisory if any of its products turn out to be vulnerable and need patching. ®