Severe Glibc DNS Vulnerability Found

I saw this morning a notice from my local information security authority titled “GNU C -kirjastosta (glibc) löydetty vakava haavoittuvuus“. It tells that February also this year brought another nasty security issue on glibc library (last year’s vulnerability was GHOST). It is a Critical glibc (GNU C library) security issue that needs a bug fix update. All versions of glibc after 2.9 are vulnerable (this version was introduced in 2008). Earlier glibc versions (seen in many embedded systems even nowadays) are not vulnerable to this (but most probably has many other issues to worry about).

Extremely severe bug leaves dizzying number of software and devices vulnerable article tells that security researchers (Google’s online security team) have discovered a potentially catastrophic flaw in one of the Internet’s core building blocks that leaves hundreds or thousands of apps and hardware devices vulnerable to attacks that can take complete control over them. The vulnerability was introduced in 2008 in GNU C Library, a collection of open source code that powers thousands of standalone applications and most distributions of Linux, including those distributed with routers and other types of hardware.  So since 2008, this vulnerability has left apps and hardware open to remote hijacking. The flaw, CVE-2015-7547, is a stack-based buffer overflow in the glibc DNS client-side resolver that puts Linux machines at risk for remote code execution. The security issue is on a function known as getaddrinfo() that performs domain-name lookups contains a buffer overflow bug that allows attackers to remotely execute malicious code. According to RHSA-2016:0175 – Security Advisory a stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries: A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Remote code execution is possible, but not straightforward (requires bypassing some  security mitigations on most systems).

There is already a patch available, but because glibc is very widespread, it are now very many systems on the network now: This bug this time leaves hundreds or thousands of apps and hardware devices vulnerable to attacks that can take complete control over them. The widely used secure shell, sudo, and curl utilities are all known to be vulnerable, and researchers warn that the list of other affected apps or code is almost too diverse and numerous to fully enumerate. And based on the earlier issues it is expected that in the future there will be still vary many vulnerable devices on the network that are never fixed. Due to the ubiquity of Glibc, this affects an astounding number of machines and software running on the internet, and raises questions about whether Glibc ought to still be the preferred C library. This glibc bug affects systems that run Linux, Android and iOS.

How to check is the issue affects me? If you use mainstream Linux platform, check the security advisories of your Linux distribution and update your system. If you don’t use mainstream Linux distribution that is actively maintained (for example embedded Linux system or old server that is not updated), then Check glibc version for a particular gcc compiler to see if you have version that has this vulnerability.

How to migrate the issue? The most recommended way to solve the problem is to update the glibc library on your system and restart the services that use it. If you are using a mainstream maintained Linux distribution, it should be a pretty simple simple to install the update patch and restart the affected services (for desktop PC if you don’t want to think of what needs to be restarted maybe reboot would an easy option to restart everything).

If you are using a system where you can’t easily apply the patch (embedded system, non-supported old Linux, proprietary system where you need to wait for updates long time etc..) then you might need to consider other migration options. Google has found some mitigations that may help prevent exploitation if you are not able to immediately patch your instance of glibc. CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow article tells that because the vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack, the suggested mitigation is to limit the response sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers which limit the response. Extremely severe bug leaves dizzying number of software and devices vulnerable article gives some more migration tips including A firewall that drops UDP DNS packets > 512 bytes.

 

13 Comments

  1. Tomi Engdahl says:

    glibc getaddrinfo() stack-based buffer overflow:netsec
    https://www.reddit.com/r/netsec/comments/462xx0/glibc_getaddrinfo_stackbased_buffer_overflow/

    GitHub – fjserna/CVE-2015-7547: Proof of concept for CVE-2015-7547
    https://github.com/fjserna/CVE-2015-7547

    Reply
  2. Tomi Engdahl says:

    GitHub – cakuzo/CVE-2015-7547: test script for CVE-2015-7547
    https://github.com/cakuzo/CVE-2015-7547

    Reply
  3. Tomi Engdahl says:

    Magnitude of glibc Vulnerability Coming To Light
    http://linux.slashdot.org/story/16/02/18/157239/magnitude-of-glibc-vulnerability-coming-to-light

    The glibc vulnerability disclosed this week has some experts on edge because of how DNS can leveraged in exploits. Dan Kaminsky said that while man-in-the-middle attacks are one vector, it would appear that it’s also possible to exploit the bug and attack most Linux servers via DNS caching-only servers. ‘This would be substantially worse if it went through the caching ecosystem; 99 percent of attack vectors go through that system,’

    Magnitude of glibc Vulnerability Coming to Light
    https://threatpost.com/magnitude-of-glibc-vulnerability-coming-to-light/116296/

    Not since Stagefright have we had a vulnerability with the scale and reach of the glibc flaw disclosed on Tuesday.

    “It’s pretty bad; you don’t get bugs of this magnitude too often,” said Dan Kaminsky, researcher, cofounder and chief scientist at White Ops. “The code path is widely exposed and available, and it yields remote code execution.”

    The flaw affects most Linux servers, along with a number of web frameworks and services that make use of the open source GNU C library, including ssh, sudo, curl, PHP, Rails and others. Initial reports about the impact on Android were incorrect given that the OS uses the Bionic libc implementation and not glibc.

    The harshness of the bug, a stack-based buffer overflow, rests in the fact that it lives in the glibc DNS client-side resolver, or libresolv library. Since DNS is a core network technology and most services rely on it, the horizontal scale of this bug is massive.

    “An attack would first force a system to make specific DNS queries, using domain names controlled by the attacker. The attacker would then have to run custom-written DNS server software, which generates crafted responses that trigger the vulnerability,”

    “A back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches,”

    Adding to the severity of the issue is the fact that the vulnerability was introduced in glibc 2.9, which dates back to May 2008

    The bug, CVE-2015-7547, was discovered independently by researchers at Red Hat and Google who privately disclosed the issue to upstream glibc maintainers, Weimer told Threatpost. Coordination between the two camps began on Jan. 6, though the initial bug disclosure was made last July, according to an advisory on the glibc mailing list.

    Weimer said that most Linux distributions that use glibc have patches available and a regular system upgrade followed by a reboot will address the issue. Source code patches for those who have their own software builds are also available.

    “Most GNU/Linux distributions release glibc updates multiple times per year,”

    Google’s Fermin Serna said there are temporary mitigations that can be implemented until Linux machines can be patched, including limiting the size of a UDP or TCP response accepted by a DNS resolver, and to ensure that DNS queries are sent only to servers that limit the response size. Kaminsky, however, said that most network admins would be unlikely to implement those mitigations for fear of breaking other services.

    “They’re still finding bugs of this magnitude accidentally,” Kaminsky said. “Using ambient bug discovery on core infrastructure is too slow. This was written in 2008 and it sat there year after year. We need to stop accidentally finding these bugs and start comprehensively finding them.”

    Reply
  4. Tomi Engdahl says:

    Funny, I haven’t heard of any showstopper bugs in OpenBSD libc – not this year, not ever

    This bug, after ghost, would be a good opportunity to take a step back for a serious assessment of what must be removed for a secure system.

    If this would have been a vulnerability in MSVCRT, everyone would have mocked Microsoft and Windows.

    However as this is a Linux vulnerability, the attention is turned to the used programming language instead.

    Source: comments at http://linux.slashdot.org/story/16/02/18/157239/magnitude-of-glibc-vulnerability-coming-to-light

    Reply
  5. Tomi Engdahl says:

    Mega bug may hit thousands of devices
    http://news.ftcpublications.com/mega-bug-may-hit-thousands-of-devices/

    A major computer security vulnerability has been discovered – with experts cautiously warning it could potentially affect hundreds of thousands of devices, apps and services.

    However, due to the nature of the bug, it is extremely difficult to know how serious the problem is.

    “Many people are running around right now trying to work out if this is truly catastrophic or whether we have dodged a bullet,” said Prof Alan Woodward, a security expect from the University of Surrey.

    Google engineers, working with security engineers at Red Hat, have released a patch to fix the problem.

    It is now up to manufacturers, and the community behind the Linux operating system, to issue the patch to affected software and devices as soon as possible.

    The code can also be within many of the so-called “building blocks” of the web – programming languages such as PHP and Python are affected, as well as systems used when logging in to sites or accessing email.

    “It’s not a sky-is-falling scenario,” said Washington D.C-based security researcher Kenneth White.

    “But it’s true there’s a very real prospect that a sizable portion of internet-facing services are at risk for hackers to crash, or worse, run remote code to attack others.”

    Reply
  6. Tomi Engdahl says:

    Major security flaw could let hackers take control of smart homes: Bug could leave thousands of devices vulnerable

    Glibc security flaw affects all versions since 2.9, including Linux devices
    Believed routers and other internet connected devices most at risk
    The bug makes many users vulnerable to remote access by hackers
    Researchers from Google and Red Hat have released a patch to fix bug
    Many will have to wait for manufacturers to run updates to patch devices

    Read more: http://www.dailymail.co.uk/sciencetech/article-3451412/The-security-flaw-leave-THOUSANDS-smart-devices-vulnerable.html#ixzz40aajcgie

    Reply
  7. Tomi Engdahl says:

    Deadly Linux Bug Puts Millions Of Systems At Risk, Patch Now Available
    http://www.techtimes.com/articles/134191/20160217/deadly-linux-bug-puts-millions-of-systems-at-risk-patch-now-available.htm

    A huge vulnerability in the GNU C Library (glibc) puts millions of systems at risk, giving hackers the opportunity to take control of Linux machines.

    What this entails is that cyber intruders could steal data and manipulate Linux computers that are connected to the Internet via remote code execution. They can even spy on them or anything else along those lines.

    The vulnerability is CVE 2015-7547, and it’s a stack-based buffer overflow bug that dates back to when glibc 2.9 rolled out in 2008. That means virtually anyone who uses this version of the GNU C Library is standing exposed to attacks.

    TAG Linux, Unix, Red Hat, Google
    Deadly Linux Bug Puts Millions Of Systems At Risk, Patch Now Available

    By Vincent Lanaria, Tech Times | February 17, 6:46 PM
    Like
    Follow
    Share
    Tweet
    Reddit
    0 Comments
    Subscribe
    IBM System Storage

    Millions of Linux systems could be affected by this bug that allows hackers to invade a machine via remote code execution. Get the patch now and steer clear of this issue.
    (Photo : Sean Gallup | Getty Images)

    A huge vulnerability in the GNU C Library (glibc) puts millions of systems at risk, giving hackers the opportunity to take control of Linux machines.

    What this entails is that cyber intruders could steal data and manipulate Linux computers that are connected to the Internet via remote code execution. They can even spy on them or anything else along those lines.

    The vulnerability is CVE 2015-7547, and it’s a stack-based buffer overflow bug that dates back to when glibc 2.9 rolled out in 2008. That means virtually anyone who uses this version of the GNU C Library is standing exposed to attacks.

    Google made a report concerning the problem, warning users to take proper measures.

    “Our initial investigations showed that the issue affected all the versions of glibc since 2.9. You should definitely update if you are on an older version though. If the vulnerability is detected, machine owners may wish to take steps to mitigate the risk of an attack,” Google says.

    The company also notes that it will not release its exploit code, but along with the blog post, it has uploaded a Proof of Concept so that users will be able to check whether or not they are affected by the issue at hand.

    Meanwhile, Red Hat also reported the issue, releasing a patch that’ll resolve it.

    “A back of the envelope analysis shows that it should be possible to write correctly formed DNS responses with attacker controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches,” Carlos O’Donnell, software engineer at Red Hat, says.

    According to Kaspersky Lab, Web frameworks such as Python, PHP and Rails and all Linux servers are affected. It’s also worth mentioning that the flaw can have an impact on any other Unix-based operating system, including Android and iOS.

    Glibc is also the main reason behind the Ghost flaw that researchers found out a year ago, making this the second time that a huge vulnerability bared its fangs in the library.

    While the process is as simple as downloading and installing for other users, it may not be the case for users with apps that were compiled with the affected glibc.

    To boil things down, every Linux user is advised to verify whether they’re affected or not, and apply the patch as soon as possible.

    Reply
  8. Tomi Engdahl says:

    Glibc: Major bug threatens thousands of Linux apps and IoT devices
    Open source? More like open season for hackers
    http://www.theinquirer.net/inquirer/news/2447451/glibc-major-bug-threatens-thousands-of-linux-apps-and-iot-devices

    A SEVERE BUG in a widely used open source library has left hundreds of thousands of Linux apps and hardware open to hackers and malware.

    The flaw is in a function known as getaddrinfo() when used by apps and hardware such as routers based on glibc code to communicate with IP addresses using domain name servers (DNS).

    It triggers a bug that messes with the buffer that is meant to prevent the memory allocated to a program being overwhelmed with data.

    If the getaddrinfo() function is aimed at a server or web address controlled by malicious parties, or intercepted on its way to a server, malware can be inserted into the return data and remotely executed by the type of people you don’t want digging around in your computer, app or router.

    “The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack,” said the Google security boffins in a blog post.

    Hackers using the exploit could get up to all sorts of trouble, crashing apps, swiping passwords, snooping like digital voyeurs or just taking control of the vulnerable device.

    The bug affects glibc versions 2.9 and above. Google and Red Hat have a patch to plug the problem, but developers using earlier versions of the library are advised to get updating as well.

    This is a nasty bug, but the real issue is how long it took to fix as it is thought to have been introduced into glibc in 2008.

    It seems that it hadn’t been fixed, despite Google saying that the chaps who maintain glibc were warned about the bug several years ago.

    “To our surprise, we learned that the glibc maintainers had previously been alerted of the issue via their bug tracker in July 2015,” the Google researchers said, possibly a bit smugly.

    Reply
  9. Tomi Engdahl says:

    [PATCH] CVE-2015-7547 — glibc getaddrinfo() stack-based buffer overflow
    https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html

    - Mitigating factors for UDP include:
    – A firewall that drops UDP DNS packets > 512 bytes.
    - Mitigating factors for TCP include:
    – Limit all replies to 1024 bytes.

    Reply
  10. Tomi Engdahl says:

    How To Patch and Protect Linux Glibc Getaddrinfo Stack-based Buffer Overflow Zero Day Vulnerability CVE-2015-7547 and CVE-2015-5229 [ 16/Feb/2016 ]
    http://www.cyberciti.biz/faq/linux-patch-cve-2015-7547-glibc-getaddrinfo-stack-based-buffer-overflow/

    Reply
  11. Tomi Engdahl says:

    Our response to the glibc vulnerability: OpenDNS has your back – See more at: https://engineering.opendns.com/2016/02/17/2980/#sthash.Q7QUW2Nw.dpuf

    Reply

Leave a Reply to Tomi Engdahl Cancel reply

Your email address will not be published. Required fields are marked *

*

*