Welcome to WebmasterWorld Guest from 23.20.6.115

Forum Moderators: bakedjake

Message Too Old, No Replies

Critical glibc GHOST bug leaves all Linux machines vulnerable

Severe and potentially disruptive bug... Patch available

     
4:55 am on Feb 17, 2016 (gmt 0)

Moderator from US 

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2000
posts:11520
votes: 222


News running through many security blogs today....

Critical glibc Vulnerability Puts All Linux Machines at Risk
by Michael Mimoso - Feb 16, 2016
[threatpost.com...]

Glibc, the GNU C library at the core of last year’s GHOST vulnerability, is vulnerable to another critical flaw affecting nearly all Linux machines, as well as API web services and major web frameworks where the code runs.

The vulnerability, discovered independently by researchers at Google and Red Hat, has been patched.

The flaw, CVE-2015-7547, is a stack-based buffer overflow in the glibc DNS client-side resolver that puts Linux machines at risk for remote code execution. The flaw is triggered when the getaddrinfo() library function is used, Google said today in its advisory [googleonlinesecurity.blogspot.ca...]


Ars Technica describes the bug as "a potentially catastrophic flaw in one of the Internet's core building blocks." The nature of the flaw, its discovery, its potential for widespread vulnerability remind me in many ways of the Heartbleed bug.

Extremely severe bug leaves dizzying number of software and devices vulnerable
by Dan Goodin - Feb 16, 2016
[arstechnica.com...]

...The widely used secure shell, sudo, and curl utilities are all known to be vulnerable, and researchers warn that the list of other affected apps or code is almost too diverse and numerous to fully enumerate.... [White] said he suspects that the vulnerability extends to an almost incomprehensibly large body of software, including virtually all distributions of Linux; the Python, PHP, and Ruby on Rails programming languages; and many other things that uses Linux code to look up the numerical IP address of an Internet domain. Most Bitcoin software is reportedly vulnerable, too....

...Maintainers of glibc, as the open source library is called, released an update that patches the vulnerability. Anyone responsible for Linux-based software or hardware that performs domain name lookups should install it as soon as possible.
10:19 am on Feb 17, 2016 (gmt 0)

Moderator from US 

WebmasterWorld Administrator robert_charlton is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Nov 11, 2000
posts:11520
votes: 222


PS: Both the Google advisory and other glibc maintainers provide mitigation suggestions for those not able to immediate install the patch...

CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
Google Online Security Blog
February 16, 2016

[googleonlinesecurity.blogspot.ca...]

Google has found some mitigations that may help prevent exploitation if you are not able to immediately patch your instance of glibc. The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack. Our suggested mitigation is to limit the response (i.e., via DNSMasq or similar programs) sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers which limit the response size for UDP responses with the truncation bit set....

Ars Technica, noted above, provides a more extensive list, and the Ars write-up also references the Red Hat article [access.redhat.com...]
9:21 pm on Feb 17, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:July 29, 2007
posts:1739
votes: 80


*eats popcorn*

This is beyond the concern of a casual webmaster, is it an actual bug or a back door that someone tripped over and figured out? There isn't a major piece of software out there that doesn't have a way in for special people anymore, have they tracked where affected machines were connecting to yet?
10:10 pm on Feb 17, 2016 (gmt 0)

Administrator from JP 

WebmasterWorld Administrator bill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month Best Post Of The Month

joined:Oct 12, 2000
posts:14786
votes: 86


Looks like it's an exploitable bug that was introduced 7 or 8 years ago. Regular updates should cover most, but it's always those who can't or won't upgrade who are of concern here.
5:22 am on Feb 18, 2016 (gmt 0)

Senior Member from KZ 

WebmasterWorld Senior Member lammert is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Jan 10, 2005
posts: 2895
votes: 5


The problem seems to be in a piece of code added to support IPv6 DNS queries. Even if IPv6 is not enabled on your network interfaces, DNS queries to getaddrinfo() may start a parallel query for A and AAAA addresses for a given host name with the side effect that the allocated receive buffer is too small to receive the largest possible response packet. The extra bytes are overwriting part of the stack, which can either crash the calling application, or with a carefully crafted response packet may compromise security and run arbitrary code injected from the DNS server.

If updating to the newest glibc version is not possible, the main mitigation factors are limiting the maximum allowed UDP and TCP response packet sizes at the firewall level to less than 2048 bytes.
12:13 am on Feb 19, 2016 (gmt 0)

Senior Member

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month

joined:July 29, 2007
posts:1739
votes: 80


Thanks for that explanation lammert. I suspect that not all UDP and TCP packet sizes above the 2048 bytes level would be malicious, or even intentional, so would limiting them at the firewall level as you suggest cause other software to possibly fail?

I'm just trying to wrap my head around the possible scope of this discovery, it has some really smart people really concerned but is beyond my technical level to follow at the moment.