Utimaco has become aware of vulnerability CVE-2015-0235
aka "GHOST" affecting “gethostbyname” functions of Linux library glibc. Analysis of the impact of GHOST on Utimaco HSM products has led to the following conclusions:
- Utimaco’s “CryptoServer LAN” appliances embed a vulnerable version of glibc. The GHOST vulnerability cannot be exploited due to the intentionally limited functionality of the CryptoServer LAN hardened Operating System and further mitigating factors.
- Furthermore, some tools and libraries delivered with Utimaco’s HSM product packages call the affected gethostbyname() function. These software modules load glibc dynamically at runtime. Although keys stored inside the HSM cannot be retrieved by an attacker, he might gain access to other data if the host computer relies on an affected version of glibc. We therefore strongly recommend upgrading host systems to glibc version 2.18 or above.