|Vulnerability Revealed In GNU C Library|
|Written by Alex Armstrong|
|Thursday, 18 February 2016|
A patch has been released for a buffer overflow bug that was discovered in the glibc DNS client side resolver. The vulnerability potentially affects hundreds of thousands of internet connected devices and publicizing it increases the risk!
Details of the bug, the solution and ways to trigger the buffer mismanagement it is designed to fix are contained in a Patch message circulated by Red Hat's Carlos O'Donell.
A buffer overflow, the situation that occurs when a program or process tries to store more data than its allocated memory, theoretically provides the opportunity to introduce malicious code. It is therefore very worrying that one has been found in gilbc, the popular collection of open source code widely used in Linux. It affects versions 2.9 and later and dates back to 2008.
The following details are given on the Google Security blog:
The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.
The blog post also explains how it came to Google's attention:
Recently a Google engineer noticed that their SSH client segfaulted every time they tried to connect to a specific host. That engineer filed a ticket to investigate the behavior and after an intense investigation we discovered the issue lay in glibc and not in SSH as we were expecting.
Looking into it, after having crafted a working exploit, the Google security team found that the glibc maintainers had been alerted to the issue back in July 2015 and that Florian Weimer and Carlos O’Donell of Red Hat had been working on it in the interim. The two companies then collaborated on the development and testing of the patch that has now been released on Tuesday.
Google has developed exploit code for the flaw but is not making that software publicly available. However, it has published a "non-weaponized" proof of concept that can be used to test if systems are vulnerable.
Although many versions of Linux are implicated - Red Hat has confirmed that affected products include multiple versions of RHEL server, workstation and desktop products - Android appears to be in the clear.
Google has also pointed out the while remote code execution is possible, it isn't not straightforward as it requires bypassing the security mitigations present on the system, such as ASLR.
However, the fact that so much is now known about the bug, which goes by the alias CVE-2015-7547, actually makes apps and hardware devices more vulnerable until patches are implemented.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Sunday, 07 April 2019 )|