I saw this morning a notice from my local information security authority titled “GNU C -kirjastosta (glibc) löydetty vakava haavoittuvuus“. It tells that February also this year brought another nasty security issue on glibc library (last year’s vulnerability was GHOST). It is a Critical glibc (GNU C library) security issue that needs a bug fix update. All versions of glibc after 2.9 are vulnerable (this version was introduced in 2008). Earlier glibc versions (seen in many embedded systems even nowadays) are not vulnerable to this (but most probably has many other issues to worry about).
Extremely severe bug leaves dizzying number of software and devices vulnerable article tells that security researchers (Google’s online security team) have discovered a potentially catastrophic flaw in one of the Internet’s core building blocks that leaves hundreds or thousands of apps and hardware devices vulnerable to attacks that can take complete control over them. The vulnerability was introduced in 2008 in GNU C Library, a collection of open source code that powers thousands of standalone applications and most distributions of Linux, including those distributed with routers and other types of hardware. So since 2008, this vulnerability has left apps and hardware open to remote hijacking. The flaw, CVE-2015-7547, is a stack-based buffer overflow in the glibc DNS client-side resolver that puts Linux machines at risk for remote code execution. The security issue is on a function known as getaddrinfo() that performs domain-name lookups contains a buffer overflow bug that allows attackers to remotely execute malicious code. According to RHSA-2016:0175 – Security Advisory a stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries: A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Remote code execution is possible, but not straightforward (requires bypassing some security mitigations on most systems).
There is already a patch available, but because glibc is very widespread, it are now very many systems on the network now: This bug this time leaves hundreds or thousands of apps and hardware devices vulnerable to attacks that can take complete control over them. The widely used secure shell, sudo, and curl utilities are all known to be vulnerable, and researchers warn that the list of other affected apps or code is almost too diverse and numerous to fully enumerate. And based on the earlier issues it is expected that in the future there will be still vary many vulnerable devices on the network that are never fixed. Due to the ubiquity of Glibc, this affects an astounding number of machines and software running on the internet, and raises questions about whether Glibc ought to still be the preferred C library. This glibc bug affects systems that run Linux, Android and iOS.
How to check is the issue affects me? If you use mainstream Linux platform, check the security advisories of your Linux distribution and update your system. If you don’t use mainstream Linux distribution that is actively maintained (for example embedded Linux system or old server that is not updated), then Check glibc version for a particular gcc compiler to see if you have version that has this vulnerability.
How to migrate the issue? The most recommended way to solve the problem is to update the glibc library on your system and restart the services that use it. If you are using a mainstream maintained Linux distribution, it should be a pretty simple simple to install the update patch and restart the affected services (for desktop PC if you don’t want to think of what needs to be restarted maybe reboot would an easy option to restart everything).
If you are using a system where you can’t easily apply the patch (embedded system, non-supported old Linux, proprietary system where you need to wait for updates long time etc..) then you might need to consider other migration options. Google has found some mitigations that may help prevent exploitation if you are not able to immediately patch your instance of glibc. CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow article tells that because the vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack, the suggested mitigation is to limit the response sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers which limit the response. Extremely severe bug leaves dizzying number of software and devices vulnerable article gives some more migration tips including A firewall that drops UDP DNS packets > 512 bytes.