Snappy

Helpdesk Support

Official Supportmonk Company Blog!

Critical glibc buffer overflow vulnerability in getaddrinfo() on Linux

February 17, 2016 , 3:58 pm


It’s time for a new DNS-based remote code execution vulnerability after “Ghost” vulnerability (CVE-2015-0235).  This was discovered by the Google Security Team and Red Hat.

We can divide this “Critical glibc buffer overflow vulnerability” into two.

 

1. CVE-2015-7547                           2. CVE-2015-5229

 

It’s noticed that all the versions of glibc since 2.9 are affected by this attack. You can get rid of this vulnerability by updating glibc version.

Vulnerability in detail

 

A stack-based buffer overflow was found in libresolv in the code which performs dual A/AAAA DNS queries. A remote attacker could create specially crafted DNS responses which could cause libresolv to crash or potentially execute code with the permissions of the user running the library. The buffer overflow occurs in the function send_dg (for UDP queries) and send_vc (for TCP queries) in libresolv. The issue is only exposed when libresolv is called from the nss_dns NSS service module. CVE-2015-7547)

It was discovered that the calloc implementation in glibc could return memory areas which contain non-zero bytes. This could result in unexpected application behavior such as hangs or crashes. (CVE-2015-5229)

 

Affected Products

 

All versions of the glibc package included with Red Hat Enterprise Linux 6 and 7 were affected by this flaw.

          Red Hat Enterprise Linux 6 & CentOS 6       : RHSA-2016:0175-1

Red Hat Enterprise Linux 7 & CentOS 7       : RHSA-2016:0176-1

Debian Squeeze, Wheezy, Jessy & Stretch    : CVE-2015-7547

Ubuntu 12.04 & 14.04                                       : CVE-2015-7547

 

How this Vulnerability occur / Possible way of Attack?

 

DNS requests are the root cause of this problem. ie, If the DNS server responds with a maliciously crafted response, each of this DNS request could trigger the exploit.

               >>> SSH logins           :   On each SSH login,  reverse DNS lookups are performed

>>> Mail servers           : For every incoming connections are checked for reverse DNS, DNS blacklists, SPF records are checked, …

>>> Curl requests on a server  : If an application allows user-input that triggers HTTP(s) fetches, this could trigger the exploit.

How to patch server?

 

If you are using a Red Hat Enterprise Linux, then you can update glibc via yum using the readily available packages.

If the package is available, run the following:

                     $ yum clean all

$ yum update glibc

After the update, you should reboot the system or restart all the public facing services.

ie, In case you are unable to restart the entire system after applying the update, execute the following command to list all running processes still using the old [in-memory] version of glibc on your system.

                  lsof +c0 -d DEL | awk ‘NR==1 || /libc-/ {print $2,$1,$4,$NF}’ | column -t

From the resulting list, identify the public-facing services and restart them.

For Red Hat Enterprise Linux 7 and CentOS 7 —  You can patch the server by reloading systemd after glibc update.

              $ systemctl daemon-reexec

Envelope Icon

Get Updates Your Email!

Subscribe to Supportmonk and receive blog posts to your email!

Subscribe Via Email

SupportMonk on Facebook


Outsourced Customer Support