In a recent blog post, Google announced that high-level researchers discovered a serious glibc security vulnerability that opens up Linux servers and other platforms using the GNU C Library to remote code executions.
The security flaw (CVE-2015-7547) impacts any platforms leveraging glibc 2.9 or later versions. This includes Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, Debian squeeze, Debian wheezy and Debian jessie, as well as other frameworks such as ssh, sudo, curl, Python, PHP and Rails, according to InfoWorld. Google stated that the glibc DNS client side resolver becomes vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used.
Initial reports said that Android was also affected by the vulnerability, but this has since been confirmed as false. The Android OS uses Bionic libc, according to Threatpost contributor Michael Mimoso, who calls the glibc flaw the most severe, far-reaching exploit since Stagefright.
Continuation of an alarming trend
The newly found glibc cyber threat may sound all too familiar for those who have been following the world of open source vulnerabilities. It was only a little over a year ago that researchers reported on GHOST, another buffer overflow vulnerability associated with glibc, which made it possible to run arbitrary code on various Linux operating systems and other frameworks. Trend Micro noted at the time that despite appearing menacing at first glance, the vulnerability had been patched for a while, and that many applications were impervious to the threat.
In September 2014, researchers also called attention to the Bash vulnerability, named Shellshock, which similarly made it possible for hackers to run remote executions on Linux servers and other systems affected by the flaw. Only a few months prior, OpenSSL's Heartbleed extension was found to be exploitable, and just like its cyber-threat successors, it plagued a variety of applications and services.
More troubles ahead for the IoT
One of the main reasons these open source vulnerabilities are frightening is that so many applications rely on them, which means something as serious as the glibc flaw is definite cause for concern. This will be especially true in years to come as the Internet of Things blossoms into the interconnected web of devices everyone says it will be. Many of these applications will leverage open source code, which means that any time a vulnerability such as glibc is uncovered, potentially, millions or even billions of devices could be at risk. Imagine, for example, that hackers are able to run commands that raise the temperature in a home, or cut the lights in an office. It's a scary thought, and one that's not too far from reality.
To make matters worse, vulnerabilities such as glibc that affect such a wide range of applications, operating systems and devices mean that a lot of systems will have to be patched – and fast. Unfortunately, not all of these systems will be able to apply fixes in a timely manner, or ever for that matter, and that's assuming fixes are made available in the first place. Even now, there are applications that continue to be at risk of known vulnerabilities. Not to mention, there are plenty more unknown vulnerabilities out there, and there's no guarantee that hackers won't find them first.
One beneficial approach to cybersecurity is a multi-layered one. It's not enough to rely exclusively on network security; endpoint attack vectors such as smartphones must also be secured where possible.
This two-pronged approach isn't a silver bullet – there's no such thing when it comes to cybersecurity – but it can mitigate cyber threats that result from vulnerabilities on either the network end, or on the device end.