GHOST glibc Security Alert January 2015

Summary

Epicor has been made aware of a critical vulnerability in the glibc library, which has been assigned CVE-2015-0235 and is commonly referred to as ‘GHOST’. All versions of glibc shipped with all variants of Red Hat Enterprise Linux are affected.

GHOST is a ‘buffer overflow’ bug affecting the gethostbyname() and gethostbyname2() function calls in the glibc library. This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application.

The gethostbyname() function calls are used for DNS resolving, which is a very common event. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying an invalid hostname argument to an application that performs a DNS resolution.

Checking Vulnerability

The easiest way to check for the vulnerability is to run the the Red Hat Access Lab’s “glibc (GHOST) Detector” script:

curl -s http://kb.eclipseinc.com/repo/GHOST-test.sh | bash

If the server is vulnerable, you will see output similar to:

Installed glibc version(s)
- glibc-2.5-42.i686: vulnerable
- glibc-2.5-42.x86_64: vulnerable

This system is vulnerable to CVE-2015-0235. <https://access.redhat.com/security/cve/CVE-2015-0235>
Please refer to <https://access.redhat.com/articles/1332213> for remediation steps

If the server is not vulnerable, you will see output similar to:

Installed glibc version(s)
- glibc-2.5-123.el5_11.1.x86_64: not vulnerable
- glibc-2.5-123.el5_11.1.i686: not vulnerable

Resolution

Update RHEL to patch the affected libraries:

yum -y update glibc nscd

Double-check that the patches have been applied by running the detection script again:

curl -s http://kb.eclipseinc.com/repo/GHOST-test.sh | bash

Reboot the server to finish applying the patches:

reboot

Troubleshooting

If you receive an error when attempting to run yum, it could be because your Red Hat subscription has expired. In this case, we’ve setup a package repository for you, which you can use by running the following commands:

curl -s -o /etc/yum.repos.d/eclipse.repo http://kb.eclipseinc.com/repo/eclipse.repo
yum -y update glibc nscd

If you receive an error similar to “Public key for glibc-headers-2.5-123.el5_11.1.x86_64.rpm is not installed”, then it means your Red Hat software is very much out of date, and you’ll need to first update some other packages:

curl -s -o /usr/share/rhn/RHNS-CA-CERT http://kb.eclipseinc.com/repo/RHNS-CA-CERT
curl -s -o /etc/yum.repos.d/eclipse.repo http://kb.eclipseinc.com/repo/eclipse.repo
yum --nogpgcheck -y update rhn*
rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release
yum -y update glibc nscd

Frequently Asked Questions

Q: I installed the patch, and now the script says my server is “not vulnerable”. Do I still need to reboot my server?
A: Yes.

POODLE SSLv3 Security Alert October 2014

Summary

Epicor has been keeping apprised of a vulnerability in the SSL 3.0 protocol, which has been assigned CVE-2014-3566. All implementations of SSL 3.0 are affected.

POODLE stands for Padding Oracle On Downgraded Legacy Encryption. This vulnerability allows a man-in-the-middle attacker to decrypt ciphertext using a padding oracle side-channel attack. POODLE affects older standards of encryption, specifically Secure Socket Layer (SSL) version 3.0. It does not affect the newer encryption mechanism known as Transport Layer Security (TLS).

Because it’s a vulnerability in the protocol, not a bug in the implementation, there is no “patch,” so SSLv3 should be disabled in all client and server software.

Epicor’s Response

There are functions of the Eclipse server software that initiate HTTPS connections to external servers (e.g. for credit card processing). Those connections previously allowed SSLv3, so we have updated the code to explicitly require TLS connections. The patch (DNV616) can be applied manually, or it will be included by default in the customer’s next point upgrade.

We have also reviewed the Eclipse application server and confirmed that SSLv3 is already disabled in the release, which uses TLS by default.

Recommended Customer Actions

We recommend that customers request the patch or a point upgrade to a release of Eclipse with SSLv3 client functionality disabled.

We also recommend that any customers running external web servers (e.g. web commerce, mobile) disable SSLv3 on IIS using Microsoft’s “fix it” tool.

FAQ

Q. How can I verify that my Solar application server (or any other secure web service) is not vulnerable?
A. Run the command below:

openssl s_client -connect HOSTNAMEORIPADDRESS:PORT -ssl3

For example, the following output, run against a the Solar application server running on the local server, shows that the service is not vulnerable:

[root@rs6k ~]# openssl s_client -connect localhost:2443 -ssl3
CONNECTED(00000003)
25211:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:284:

How do I display shell command history with date and time under UNIX or Linux operating systems?

If the HISTTIMEFORMAT is set, the time stamp information associated with each history entry is written to the history file, marked with the history comment character. 

Defining the environment variable as follows:

[root@hostname ~]# HISTTIMEFORMAT=”%m/%d/%y %T “

 

Where,  %d – Day  %m – Month  %y – Year  %T – Time

To see history type: history

[root@hostname ~]# history

How do I add or delete contacts under my Epicor support account?

In order to add or delete contacts, you must have System Admin privileges in (iSupport).  Then follow these steps:

1)    When you first enter our site, you are presented with the following screen.  At the top of this screen, you will see “My account”.  Click on this:

2)    Click on either of these User Maintenance choices:

3)    Select one of the options below:

4)    If you select “Assign Permissions”, the following screen appears where you can select the level of authority for each user: