Google researchers Fermin J. Serna and Kevin Stadmeyer today released a blog post stating that they found a stack-based buffer overflow vulnerability in the getaddrinfo function in glibc. This is significant for a number of reasons:
The exploit will likely trigger a DNS lookup from a vulnerable system. DNS lookups can be triggered in many ways: An image embedded in a web page, an email sent that is processed by a spam filter (which involves DNS lookups) are just two of many options. The exploit response will exceed 2048 bytes in size. Not all responses > 2048 are exploits. The response may arrive via TCP or UDP. Many modern systems support a feature called "EDNS0". This feature can be used by a client to signal to a server that it is willing to receive UDP responses that are larger than the traditional 512 bytes in size. Features like DNSSEC require EDNS0 to be enabled. Blocking large DNS responses will likely break EDNS0. DNS resolution may fail or will be significantly delayed. What can you do? - Patch! All versions of glibc after 2.9 are vulnerable. Version 2.9 was introduced in May 2008. Affected / Not Affected Major Linux Distributions (work in progress)
[1] https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
--- |
Johannes 4042 Posts ISC Handler Feb 17th 2016 |
||||||||||||||
Thread locked Subscribe |
Feb 17th 2016 4 years ago |
||||||||||||||
PoC: https://github.com/fjserna/CVE-2015-7547
snort sig: http://seclists.org/snort/2016/q1/285 |
MD 11 Posts |
||||||||||||||
Quote |
Feb 17th 2016 4 years ago |
||||||||||||||
CentOS 7 also patched:
https://lists.centos.org/pipermail/centos-announce/2016-February/021672.html Oracle Linux advisory here: http://linux.oracle.com/errata/ELSA-2016-0175.html F5 Networks statement: https://support.f5.com/kb/en-us/solutions/public/k/47/sol47098834.html |
Juha-Matti 5 Posts |
||||||||||||||
Quote |
Feb 17th 2016 4 years ago |
||||||||||||||
Is it really as simple as something like this?
- Register a cheapo domain - Stand up a malicious DNS server for the domain - Send an email from that domain to your target's Linux SMTP gateway - The target’s email server does a PTR lookup on the sender - Game Over |
Anonymous |
||||||||||||||
Quote |
Feb 17th 2016 4 years ago |
||||||||||||||
Should also be noted that a malicious DHCP server could send clients to a malicious name server via DHCP option 5
|
Anonymous |
||||||||||||||
Quote |
Feb 17th 2016 4 years ago |
||||||||||||||
Re: "- make sure all systems on your network use a specific resolver and block outbound DNS unless it originates from this resolver (this is a good idea anyway!). This will limit exposure to the resolver"
Can you please clarify if this will block the issue? Would the specific resolver not still forward the payload to original requestor? Thanks |
SB 1 Posts |
||||||||||||||
Quote |
Feb 18th 2016 4 years ago |
||||||||||||||
What will be the impact of this vulnerability on ICS(industrial Control Systems) ?
|
SB 1 Posts |
||||||||||||||
Quote |
Feb 19th 2016 4 years ago |
||||||||||||||
I'm not an ICS expert but...
You have to distinct two major components in ICS environments: - "Sensors" (ex: PLC's) - Monitoring / Control tools The first ones do not perform lot of DNS requests and are usually talking with the seconds in restricted environments. The second ones could be more affected if they make more intensive use of DNS. If you apply classic security controls (eg segmentation, no Internet access), you should not be (or less) affected. |
Xme 581 Posts ISC Handler |
||||||||||||||
Quote |
Feb 19th 2016 4 years ago |
||||||||||||||
Busy week for exploits, I've written up some content on validating and mitigating the effect on edge Cisco devices, please check it out if it's of interest to you: http://info.stack8.com/blog/cve20157547-google-glibc-vulnerability-cisco-products
|
johnf 6 Posts |
||||||||||||||
Quote |
Feb 19th 2016 4 years ago |
||||||||||||||
By the way, not all 2.19 glibc Debian jessie versions are vulnerable to CVE-2015-7547.
Please refer to the below Debian advisory: https://security-tracker.debian.org/tracker/CVE-2015-7547 |
johnf 1 Posts |
||||||||||||||
Quote |
Feb 22nd 2016 4 years ago |
Sign Up for Free or Log In to start participating in the conversation!