Glibc Vulnerability causing Trouble for Linux Machines

Glibc, the GNU C library which was the core of  GHOST vulnerability turns out to have another critical flaw affecting nearly all Linux machines, and it has API web services and major web frameworks where the code runs. This vulnerability was dicovered by  researchers at Google and Red Hat and now has been patched.


Hi all,

Glibc, the GNU C library which was the core of  GHOST vulnerability turns out to have another critical flaw affecting nearly all Linux machines, and it has API web services and major web frameworks where the code runs. This vulnerability was dicovered by  researchers at Google and Red Hat and now has been patched.

The flaw dubbed CVE-2015-7547, is a stack-based buffer overflow in the glibc DNS client-side resolver that puts Linux machines at risk for remote code execution. Google’s advisory said that the flaw is triggered when the getaddrinfo() library function is used,

“A back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches,” said Carlos O’Donnell from Red Hat.

Linux servers and web frameworks such as Rails, PHP and Python could also be  affected, along with Android apps running glibc.

glibc maintainers was told about this bug only last July  but was apparently introduced in glibc 2.9 in May 2008. In an advisory by O’Donnell said that the vulnerability has likely not been publicly attacked.

“Local testing shows that we have been able to control at least the execution of one free() call with the buffer overflow and gained control of EIP…Further exploitation was not attempted, only this single attempt to show that it is very likely that execution control can be gained without much more effort,” he added.

Google’s Serna confirmed the issue affects all versions of glibc since 2.9 and that the situation can be temporary mitigated until Linux machines can be patched.

“The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack,” Serna at Google said. “Our suggested mitigation is to limit the response (i.e., via DNSMasq or similar programs) sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers which limit the response size for UDP responses with the truncation bit set.”

Many  exploitation vectors inlcuding ssh, sudo and curl.can be used to attack this vulnerability said Google.

“Remote code execution is possible, but not straightforward,” Serna said. “It requires bypassing the security mitigations present on the system, such as ASLR.”

Glibc is the C library that defines systems calls and other basic functions on Linux systems including the GNU OS and GNU Linux.


Source: Akati

Comments are closed.