Skip to content ↓ | Skip to navigation ↓

 

Vulnerability Description

A heap-based buffer overflow was found in glibc’s __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() glibc function calls. A remote attacker able to make an application call either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the application.

 

Exposure & Impact

This vulnerability allows a remote attacker that is able to make an application call to either of these functions to execute arbitrary code with the permissions of the user running the application.

 

Remediation & Mitigation

VERT recommends applying patches from vendors when available.

 

Detection

VERT is currently working on coverage for IP360. This alert will be updated as coverage is available.

VERT has created custom ASPL rules that can can be manually added to your VNE to detect vulnerable systems.

Caveat: Neither of these account for source patched versions from vendors.

 

Rule 1

#Based on glibc - Update with libc file path
EXECUTE { 

import aspl_sshcore
from version import Version, VersionException

aspl_sshcore.startSSH(rule)

fixed_version = '2.18'

rule.SEND('/lib/x86_64-linux-gnu/libc.so.6| grep -Eo "version.* [0-9]\.[0-9]+"')
rule.waitForData()
try:
    result = rule.buffer.split('\x0a')[0].split(' ')[-1]
except IndexError:
    rule.STOP(False)

try:
    if Version(result) < Version(fixed_version):
        rule.STOP(True)
except VersionException:
    rule.STOP(False)


rule.STOP(False)
}

Rule 2

#Based on LDD which should match the glibc version
EXECUTE { 

import aspl_sshcore
from version import Version, VersionException

aspl_sshcore.startSSH(rule)

fixed_version = '2.18'

rule.SEND('ldd --version | grep -Eo "ldd.* [0-9]\.[0-9]+"')
rule.waitForData()
try:
    result = rule.buffer.split(' ')[-1]
except IndexError:
    rule.STOP(False)

try:
    if Version(result) < Version(fixed_version):
        rule.STOP(True)
except VersionException:
    rule.STOP(False)


rule.STOP(False)
}

References

https://access.redhat.com/articles/1332213

http://www.openwall.com/lists/oss-security/2015/01/27/9