ALERT: Update ASAP for vulnerability in Linux glibc library
Wednesday, February 17, 2016
This message is intended for U-M IT staff who are responsible for university devices or applications that use Linux. It was sent via email to the IT Security Community, Frontline Notify, and Unix Admins groups on February 17, 2016.
A vulnerability in the glibc open source code library used in Linux could allow attackers to remotely execute malicious code. Glibc is widely used in Internet-connected devices. The getaddrinfo() function within glibc, which performs domain-name lookups, contains a buffer overflow bug. This can be exploited when devices or applications make queries to attacker-controlled domain names or domain name servers. Vulnerable devices and applications may also be exposed to man-in-the-middle attacks where the adversary has the ability to monitor and manipulate data passing between a vulnerable device and the Internet.
All versions of glibc after 2.9 are vulnerable. Maintainers of glibc have released an update that patches the vulnerability.
Anyone responsible for Linux-based software or hardware should install updates that patch the vulnerability as soon as possible after appropriate testing.
- For those running servers, patching will be a simple matter of downloading the update and installing it.
- Some applications that were compiled with a vulnerable version of glibc will have to be recompiled with an updated version of the library. Users will need to wait for fixes to become available from hardware manufacturers and application developers and then install the updates as soon as possible.
If you are not able to immediately patch your instance of glibc, consider these mitigations from the Google Online Security Blog: "The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack. Our suggested mitigation is to limit the response (i.e., via DNSMasq or similar programs) sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers which limit the response size for UDP responses with the truncation bit set."
Additional mitigations from the glibc project are available at [PATCH] CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow.
As of 11:00 a.m., February 17, 2016, publicly available exploit code will likely only crash vulnerable applications. However, publicly-available information indicates that exploit code has been developed that can perform remote code execution (RCE). While the details of that code are not being made available publicly, there is significant ongoing effort to develop publicly-available RCE exploit code. It is likely that this effort will be successful, but it isn’t yet clear how long that may take. However, there is some information available that indicates that a successful RCE exploit may not be difficult to develop.
The buffer overflow occurs in the function send_dg (UDP) and send_vc (TCP) for the NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC family and in some cases also with AF_INET6 before the fix in commit 8479f23a (only use gethostbyname4_r if PF_UNSPEC).
The use of AF_UNSPEC triggers the low-level resolver code to send out two parallel queries for A and AAAA. A mismanagement of the buffers used for those queries could result in the response writing beyond the allocated buffer created by __res_nquery.
The vectors to trigger this buffer overflow are very common and can include ssh, sudo, and curl.
Use the command ldd --version to determine the version of glibc on a system.
Information for Users
In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open shared documents or email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection on the U-M Safe Computing website.
Questions, Concerns, Reports
Please contact firstname.lastname@example.org.
- CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow (Google Online Security Blog, 2/16/16)
- CVE-2015-7547 (Red Hat)
- [PATCH] CVE-2015-7547 --- glibc getaddrinfo() stack-based buffer overflow (glibc project, 2/16/16)
- CVE-2015-7547: Critical Vulnerability in glibc getaddrinfo (InfoSec Handlers Diary Blog, 2/16/16)
- How To Patch and Protect Linux Glibc Getaddrinfo Stack-based Buffer Overflow Zero Day Vulnerability CVE-2015-7547 and CVE-2015-5229 (nixCraft, 2/17/16)
- Glibc: Mega bug may hit thousands of devices (BBC News, 2/17/16)
- Extremely severe bug leaves dizzying number of software and devices vulnerable (Ars Technica, 2/16/16)
- Patch Linux now, Google, Red Hat warn, over critical glibc bug (ZDNet, 2/17/16)