What is it?
This vulnerability could allow a malicious actor to send specially crafted data to trigger a stack overflow in the getaddrinfo() function in the glibc DNS client resolver code (‘resolv/nss_dns’) and execute arbitrary code on the target system. The code will run with the privileges of the target application using the glibc library.
This vulnerability has been assigned CVE-2015-7547 (https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html) but was introduced in 2008 (version 2.9) in GNU C Library, a collection of open source code that powers thousands of standalone applications and most distributions of Linux, including those distributed with routers and other types of hardware. It could potentially leave hundreds or thousands of apps and hardware devices vulnerable to attacks.
The critical defect lies in resolv/res_send.c, and is triggered when the widely used getaddrinfo() function call is used. The getaddrinfo() function performs domain-name lookups and it is this function that contains a buffer overflow bug that could allow attackers to remotely execute malicious code. The vulnerability can be exploited when vulnerable software makes a query to attacker-controlled domain names or domain name servers, or alternatively, when they are exposed to man-in-the-middle attacks where the adversary has the ability to monitor and manipulate data passing between a vulnerable device and domain name servers.
Timeline of events
Although introduced in 2008 it was not reported until July 2015, at which time it was reportedly fixed, but not treated as a high severity, at least not publicly. Glibc maintainers were investigating the flaw in private, away from the public bug trackers, possibly due to the sensitivity of the issue.
In February 2016, researchers released proof of concept code, bringing the vulnerability to public attention, although a fix had been available in most cases for some time. The significant readership of the blog on which it was released has led to widespread open source coverage of this vulnerability.
What is affected?
The widely used secure shell, sudo, and curl utilities are all known (http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizz...) to be vulnerable, and researchers warn that the list of other affected apps or code is almost too diverse and numerous to fully enumerate. Wget utility used to test and query web servers was also found to be vulnerable. The vulnerability could extend to an almost incomprehensibly large body of software, including virtually all distributions of Linux; the Python, PHP, and Ruby on Rails programming languages; and many other things that uses Linux code to look up the numerical IP address of an Internet domain. Most Bitcoin software is also reportedly vulnerable.
One Linux-based package that is not vulnerable is Google’s Android mobile operating system. It uses a glibc substitute known as Bionic and is not susceptible, a company representative said. All versions of glibc after 2.9 are vulnerable.
How easy is it to fix?
Maintainers of glibc released an update that patches the vulnerability. For many people running servers, patching will be a simple matter of downloading the update and installing it. However, for other types of users, a fix may not be so easy. Some apps that were compiled with a vulnerable version of glibc will have to be recompiled with an updated version of the library, a process that will take time as users wait for fixes to become available from hardware manufacturers and app developers.
What can be done?
Updates to fix this vulnerability are available and therefore anyone who is in a position to update should do so as soon as possible. The vulnerability relies on oversized DNS responses, specifically greater than 2048 bytes. These could arrive over TCP or UDP. Suggested mitigations include:
- Ensure all systems on your network use a DNS resolver and drop non-compliant responses at that resolver
- Firewall configuration to filter DNS responses greater than 1024 bytes
Further mitigations which have been shown to work and not work are included in the original article (https://googleonlinesecurity.blogspot.co.uk/2016/02/cve-2015-7547-glibc-...).
Fortunately, weaponised exploits that successfully execute malicious code are deemed to be “possible, but not straightforward” since they require the bypassing of ASLR and other protections designed to make software more resistant to attacks. To reduce the potential for the vulnerability to be exploited maliciously, the authors of the blog article are not releasing details of a complete exploit.
At the time of writing, CERT-UK is unaware of reports that the vulnerability is being exploited. We assess the impact of this vulnerability to be low and will continue to engage with partners and update as necessary.