A major vulnerability in the GNU C Library could result in remote code execution, and may affect most Linux machines.
The vulnerability affects all version of the GNU C Library, commonly known as glibc, since version 2.9. According to research by Google’s Staff Security Engineer Fermin J. Serna and Technical Program Manager Kevin Stadmeyer, a full working exploit was enabled and a patch made available.
Serna and Stadmeyer said in a statement: “You should definitely update if you are on an older version though. If the vulnerability is detected, machine owners may wish to take steps to mitigate the risk of an attack.
“The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.”
The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack. Remote code execution is possible, but requires bypassing the security mitigations present on the system, such as ASLR.
The bug was reported to glibc maintainers in July 2015, but has been present in glibc 2.9 since May 2008. Carlos O’Donnell, Principal Software Engineer at Red Hat, said in an advisory that the vulnerability has likely not been publicly attacked, but that execution control can be gained without much more effort.
Tod Beardsley, Security Research Manager at Rapid7, said that like the GHOST vulnerability from 2015, this will affect lots of Linux client and server applications, and like GHOST, it's pretty difficult to "scan the internet" for it, since it's a bug in shared library code.
“There are certainly loads and loads of IoT devices out in the world that aren't likely to see a patch any time soon,” he says. “So, for all those devices you can't reasonably patch, your network administrator could take a look at the mitigations published by RedHat, and consider the impact of limiting the actual on-the-wire size of DNS replies in your environment. While it's may be a heavy-handed strategy, it will buy you time to ferret out all those IoT devices that people have squirrelled away on your network.”
Dave Palmer, Director of Technology at Darktrace, said: “It seems that this bug primarily affects the servers that run company applications and internet services, but probably also much of the IoT. However, it is still unclear how easy it is to exploit.
“Uncertainty surrounds not only this bug, but all future threats. It is simply impossible to guess where next vulnerabilities will be discovered. So as companies run around trying to work out if and how this will affect them, they should also fundamentally re-think how they are protecting the entirety of their systems. Without an immune system, which automatically monitors for abnormality, it is extremely difficult to keep up with today’s threat landscape.”
David Flower, MD EMEA at Carbon Black said: “Linux users have long since held the belief that their systems are secure by design and are invulnerable to attack. However, the string of high-profile Linux malware; from last year’s Mumblehard, which had gone undetected for five years, to 2012’s Snakso, which gave hackers remote access to servers, has proven this belief to be false. Google’s discovery of Glibc has delivered another significant blow to this misconception, highlighting that a basic flaw has been present within the code itself.
“Whilst it has yet to be exploited by hackers, those that fail to patch the vulnerability will face a significant threat now that the bad guys have been alerted to its presence.”