Vulnerability Revealed In GNU C Library
Written by Alex Armstrong   
Thursday, 18 February 2016

A patch has been released for a buffer overflow bug that was discovered in the glibc DNS client side resolver. The vulnerability potentially affects hundreds of thousands of internet connected devices and publicizing it increases the risk!


glibcsq

Details of the bug, the solution and ways to trigger the buffer mismanagement it is designed to fix are contained in a Patch message circulated by Red Hat's Carlos O'Donell. 

A buffer overflow, the situation that occurs when a program or process tries to store more data than its allocated memory, theoretically provides the opportunity to introduce malicious code. It is therefore very worrying that one has been found in gilbc, the popular collection of open source code widely used in Linux. It affects versions 2.9 and later and dates back to 2008.

The following details are given on the Google Security blog:

The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.

The blog post also explains how it came to Google's attention:

Recently a Google engineer noticed that their SSH client segfaulted every time they tried to connect to a specific host. That engineer filed a ticket to investigate the behavior and after an intense investigation we discovered the issue lay in glibc and not in SSH as we were expecting.

Looking into it, after having crafted a working exploit, the Google security team found that the glibc maintainers had been alerted to the issue back in July 2015 and that Florian Weimer and Carlos O’Donell of Red Hat had been working on it in the interim. The two companies then collaborated on the development and testing of the patch that has now been released on Tuesday.

Google has developed exploit code for the flaw but is not making that software publicly available. However, it has published a "non-weaponized" proof of concept that can be used to test if systems are vulnerable.

Although many versions of Linux are implicated - Red Hat has confirmed that affected products include multiple versions of RHEL server, workstation and desktop products - Android appears to be in the clear.

Google has also pointed out the while remote code execution is possible, it isn't not straightforward as it requires bypassing the security mitigations present on the system, such as ASLR. 

However, the fact that so much is now known about the bug, which goes by the alias CVE-2015-7547, actually makes apps and hardware devices more vulnerable until patches are implemented. 

 glibcsq

Banner


An Introduction to Neo4j
03/11/2020

Learn about Neo4j and Cypher in less than a day with a free course that  introduces you to graph databases and how to use the Cypher graph language to query and update a Neo4j database.



Microsoft Adds Custom Data Types To Excel
03/11/2020

Microsoft is adding support for custom business data types to Excel. The addition will be made to Excel for Windows for Office 365 subscribers. The new facility seems powerful, but likely to cause con [ ... ]


More News

 

square

 



 

Comments




or email your comment to: comments@i-programmer.info

Last Updated ( Sunday, 07 April 2019 )