Years-old critical GNU C Library vulnerability patched by open source providers

Linux

Ubuntu, Red Hat, and a number of other leading open source solutions providers have patched a critical vulnerability in the GNU C Library that has been around for years.

On Tuesday, Ubuntu published a security advisory about the vulnerability, which affects the glibc and eglibc packages in Ubuntu 15.10, 14.04 LTS, and 12.04 LTS:

"It was discovered that the GNU C Library incorrectly handled receiving responses while performing DNS resolution. A remote attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code."

The glibc package is the GNU Project's implementation of the C standard library. It is Unix-like, which led the developers of multiple Linux-based systems, web frameworks, and online services to build their products using the library.

The flaw affects all versions of glibc 2.9, meaning that the vulnerability has been around since at least 2008. However, it was not made public by researchers until July of 2015.

Attackers have thus had eight years to find and abuse the bug for a multitude of nefarious purposes.

Google published more information in a post on its security blog:

"The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack."

To exploit the vulnerability, attackers would need to force a system to create specific DNS queries used by domain names under their control. They would then need to run custom-written DNS server software, the crafted responses of which would trigger the flaw.

Mitm

As a ThreatPost report describes, man-in-the-middle attacks from a malicious actor on a local network would be the most direct exploitation vector under this attack scenario.

However, no known public exploits are currently known, and even if some are discovered, experts say it is unlikely that there will be more than just a few.

]"Payloads needed for exploiting this for code execution are probably not going to be well-formed responses and will likely get dropped en route," Craig Young, a security researcher at Tripwire, told SC Magazine.\
But it's better to be safe than sorry, right?

If you are running an affected version of glibc, you should implement the patch (the details of which can be found here) sooner rather than later.

Should an immediate patch be impossible, Google has discovered some mitigation techniques that could prevent exploitation. To read more, check out the Google online security blog post.

Tags: , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , ,

No comments yet.

Leave a Reply