Update 2/17/16 – 12:30 PM PST: Tripwire is planning to release ASPL-657, which will contain detection for CVE-2015-7547. For more information as it comes available, visit the VERT Threat Alert page here: https://www.tripwire.com/vert/vert-alert/glibc-getaddrinfo-buffer-overflow-cve-2015-7547/.
A critical vulnerability has been discovered in the Linux GNU C Library (glibc) that could potentially allow attackers to execute code on servers and gain remote control of Linux machines, applications and devices.
Researchers at Google and Red Hat uncovered the flaw independently and collaborated to deliver a patch, which has been made available.
Google researchers explained the flaw (CVE-2015-7547) as a stack-based buffer overflow vulnerability in glibc’s DNS client-side resolver, which is triggered when the getaddrinfo() library function is used.
“Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack,” the researchers said.
Much like the GHOST vulnerability (CVE-2015-025) that came to light last year, the bug is said to affect a large number of Linux distributions, software and devices.
The vulnerability was originally introduced in May 2008, but was reported to the glibc maintainers in July 2015.
“Our initial investigations showed that the issue affected all the versions of glibc since 2.9,” said the researchers.
Nonetheless, users running older versions are advised to update, as well.
“The vectors to trigger this buffer overflow are very common and can include ssh, sudo, and curl. We are confident that the exploitation vectors are diverse and widespread; we have not attempted to enumerate these vectors further,” warned Google researchers.
However, although successful exploitation of the vulnerability can lead to remote cote execution, researchers noted it would require bypassing the security mitigations present on the system, such as ASLR.
For those who are unable to implement the patch immediately, Google researchers outlined possible mitigations:
“The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack. Our suggested mitigation is to limit the response (i.e., via DNSMasq or similar programs) sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers which limit the response size for UDP responses with the truncation bit set,” explained the researchers.
A non-weaponized Proof of Concept was also released by the team to help users determine if they are affected by the issue and verify any mitigations they wish to enact.