What’s the glibc getaddrinfo vulnerability?
Red Hat has updated details on the vulnerability.
A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called from the
nss_dns NSS service module. (CVE-2015-7547)
The technical explanation about the exploit
This is best provided by Google’s security team themselves.
glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at_nss_dns_gethostbyname4_r() for hosting responses to a DNS query.
Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated.
Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow.
The vectors to trigger this buffer overflow are very common and can include ssh, sudo, and curl. We are confident that the exploitation vectors are diverse and widespread; we have not attempted to enumerate these vectors further.
Who’s vulnerable?
Quite a lof systems are potentially vulnerable to this exploit:
All versions of glibc after 2.9 are vulnerable. Version 2.9 was introduced in May 2008.
-
Red Hat Enterprise Linux 6 & CentOS 6: RHSA-2016:0175-1
-
Red Hat Enterprise Linux 7 & CentOS 7: RHSA-2016:0176-1
-
Debian Squeeze, Wheezy, Jessy & Stretch: CVE-2015-7547
-
Ubuntu 12.04 & 14.04: CVE-2015-7547
What I need to do?
Due to the emerging risks outlined above, we strongly recommend that affected customers apply system updates to affected systems as soon as patches become available and as soon as operationally feasible. If you are unsure about patch availability for your system, visit the security section of your distribution’s website.
Fix for RHEL/CentOS & Ubuntu:
Step 1 :
Identify glibc version running on your server and see if its already patched or patch is available:
RHEL/CentOS:
Check existing glibc version:
# ldd –version
If you have 10’s or 100’s of servers to check you can use our Ansible Playbook
Check if patch is already applied to present package:
# rpm -qa glibc --changelog |head -20
and you find below details:
* Thu Jan 14 2016 Carlos O’Donell <[email protected]> – 2.12-1.166.5
– Fix CVE-2015-7547: getaddrinfo() stack-based buffer overflow (#1296028).
Check if your current package match version listed above (2.12-1.166.5)
# rpm -qa | grep glibc
Ubuntu:
Check if patch is available:
# apt-cache show libc6
# apt-get changelog libc-bin |grep CVE-2015
With below result:
– debian/patches/any/CVE-2015-7547-pre1.diff: fix memory leak in
– debian/patches/any/CVE-2015-7547-pre2.diff: fix memory leak in
– debian/patches/any/CVE-2015-7547.diff: fix buffer handling in
– CVE-2015-7547
Or
# apt-get changelog libc-bin | head -20
with below result:
* SECURITY UPDATE: glibc getaddrinfo stack-based buffer overflow
– debian/patches/any/CVE-2015-7547-pre1.diff: fix memory leak in
resolv/nss_dns/dns-host.c.
– debian/patches/any/CVE-2015-7547-pre2.diff: fix memory leak in
include/resolv.h, resolv/gethnamaddr.c, resolv/nss_dns/dns-canon.c,
resolv/nss_dns/dns-host.c, resolv/nss_dns/dns-network.c,
resolv/res_query.c, resolv/res_send.c.
– debian/patches/any/CVE-2015-7547.diff: fix buffer handling in
resolv/nss_dns/dns-host.c, resolv/res_query.c, resolv/res_send.c.
– CVE-2015-7547
Step 2:
If you found that your existing version is not upgraded/patched, proceed with upgrading your glibc packages
RHEL/CentOS:
# yum clean all
# yum update glibc
Ubuntu:
# apt-get --only-upgrade install libc-bin
Or
# apt-get upgrade
Step 3:
Since glibc used by several services, and complete the patch deployment process, you need to either reboot your server (Recommended)
Or
# lsof | awk '/libc-/ {print $1}' | sort -u)
and restart the listed services from above command output.
If you need any assistance please contact us on security[at]urolime[dot]com, we provide FREE support to implement this patch up to 2 Servers.