Critical glibc vulnerability CVE-2015-7547

What’s the glibc getaddrinfo vulnerability?

Red Hat has updated details on the vulnerability.

A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called from the
nss_dns NSS service module. (CVE-2015-7547)

The technical explanation about the exploit

This is best provided by Google’s security team themselves.

glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at_nss_dns_gethostbyname4_r() for hosting responses to a DNS query.

Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated.

Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow.

The vectors to trigger this buffer overflow are very common and can include ssh, sudo, and curl. We are confident that the exploitation vectors are diverse and widespread; we have not attempted to enumerate these vectors further.

Who’s vulnerable?

Quite a lof systems are potentially vulnerable to this exploit:

All versions of glibc after 2.9 are vulnerable. Version 2.9 was introduced in May 2008.

What I need to do?

Due to the emerging risks outlined above, we strongly recommend that affected customers apply system updates to affected systems as soon as patches become available and as soon as operationally feasible. If you are unsure about patch availability for your system, visit the security section of your distribution’s website.

Fix for RHEL/CentOS & Ubuntu:

Step 1 :

Identify glibc version running on your server and see if its already patched or patch is available:

RHEL/CentOS:

Check existing glibc version:

# ldd –version

If you have 10’s or 100’s of servers to check you can use our Ansible Playbook

Check if patch is already applied to present package:

# rpm -qa glibc --changelog |head -20

and you find below details:

* Thu Jan 14 2016 Carlos O’Donell <[email protected]> – 2.12-1.166.5

– Fix CVE-2015-7547: getaddrinfo() stack-based buffer overflow (#1296028).

Check if your current package match version listed above (2.12-1.166.5)

# rpm -qa | grep glibc

Ubuntu:

Check if patch is available:

# apt-cache show libc6

# apt-get changelog libc-bin |grep CVE-2015

With below result:

– debian/patches/any/CVE-2015-7547-pre1.diff: fix memory leak in

– debian/patches/any/CVE-2015-7547-pre2.diff: fix memory leak in

– debian/patches/any/CVE-2015-7547.diff: fix buffer handling in

– CVE-2015-7547

Or

# apt-get changelog libc-bin | head -20

with below result:

* SECURITY UPDATE: glibc getaddrinfo stack-based buffer overflow

– debian/patches/any/CVE-2015-7547-pre1.diff: fix memory leak in

resolv/nss_dns/dns-host.c.

– debian/patches/any/CVE-2015-7547-pre2.diff: fix memory leak in

include/resolv.h, resolv/gethnamaddr.c, resolv/nss_dns/dns-canon.c,

resolv/nss_dns/dns-host.c, resolv/nss_dns/dns-network.c,

resolv/res_query.c, resolv/res_send.c.

– debian/patches/any/CVE-2015-7547.diff: fix buffer handling in

resolv/nss_dns/dns-host.c, resolv/res_query.c, resolv/res_send.c.

– CVE-2015-7547

Step 2:

If you found that your existing version is not upgraded/patched, proceed with upgrading your glibc packages

RHEL/CentOS:

# yum clean all

# yum update glibc

Ubuntu:

# apt-get --only-upgrade install libc-bin

Or

# apt-get upgrade

Step 3:

Since glibc used by several services, and complete the patch deployment process, you need to either reboot your server (Recommended)

Or

# lsof | awk '/libc-/ {print $1}' | sort -u)

and restart the listed services from above command output.

If you need any assistance please contact us on security[at]urolime[dot]com, we provide FREE support to implement this patch up to 2 Servers.

Please follow and like us:
Urolime Technologies has made groundbreaking accomplishments in the field of Google Cloud & Kubernetes Consulting, DevOps Services, 24/7 Managed Services & Support, Dedicated IT Team, Managed AWS Consulting and Azure Cloud Consulting. We believe our customers are Smart to choose their IT Partner, and we “Do IT Smart”.
Posts created 182

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts

Begin typing your search term above and press enter to search. Press ESC to cancel.

Enjoy this blog? Please spread the word :)