Earlier this week, the maintainers of the GNU C Library (known as glibc, an open-source software library widely used in Linux systems) announced that they had released a fix for a vulnerability introduced in 2008 that allowed a buffer overflow to take place. This could be used by an attacker to run malicious code on a Linux system.
What’s the vulnerability?
The vulnerability (CVE-2015-7547) can be triggered when a DNS query is made by an application that used the vulnerable glibc library. The glibc DNS client-side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. An incorrectly formatted reply to this function will cause an overflow.
There are multiple ways that the target system can receive a malicious reply:
- The target system could be making a DNS query for a domain under the control of attackers;
- The target system could be contacting a malicious DNS server,
- The DNS reply could be modified in transit by a man-in-the-middle attack.
Simply put, an attacker can use a DNS reply to run code on a targeted Linux system.
What’s the impact?
Any Linux machine that is connected to the Internet is theoretically at risk. An attacker could use this vulnerability to run malicious code on a targeted Linux system. However, we also note that while the attack is possible, no known exploit code that can do this is in the wild.
This attack is not quite as serious as other Linux flaws like Heartbleed or Shellshock, as it is not trivial to exploit this flaw. However, it’s not one of the sophisticated attacks either. It is still an issue that must be resolved as soon as possible.
What solutions are available?
Major Linux distributions have already been patched to fix this vulnerability. System administrators should check if a patch is available for distributions in use within their organization.
Broadly speaking, we also recommend that outgoing DNS traffic only be allowed to go through if they are bound for whitelisted DNS servers. A query to a malicious DNS server could be used to exploit this vulnerability; blocking queries to servers not on the whitelist would reduce the risk from this vector. (It’s worth noting that BIND, the most popular DNS software in use, is not affected.)
We have released the following Deep Security rules:
- 1007456 – DNS Malformed Response
- 1007458 – Glibc getaddrinfo Stack Based Buffer Overflow Vulnerability (CVE-2015-7547)
- 1007457 – Allowed DNS Resolvers
Two of these rules block potentially malicious DNS traffic: one rule is specific to this vulnerability, another detects large DNS responses more broadly. The third rule can be used to implement a whitelist for DNS servers.