On 16th February 2016, Google engineers released details regarding a bug in the glibc code which could allow an attacker to cause a buffer overflow resulting a DoS (denial of service) and/or remote code execution. The bug itself has been known about for some time, but up until now wasn’t considered to be dangerous. The vulnerable glibc function getaddrinfo() is responsible for performing DNS lookups. Under certain circumstances it is possible to remotely call this function to trigger a device to perform a DNS lookup of an attacker controlled domain. An attacker can craft a DNS response which is larger than the device expects, thus causing a buffer overflow condition. A buffer overflow is an error that under the right conditions can be used by hackers to inject arbitrary code into the execution flow of a device, thus allowing them to take control of the device.
Could my organisation be vulnerable?
The affected glibc function is present on a large range of devices, and is utilised by many applications commonly found on default installations of Linux/Unix, so it is difficult to assess those that are vulnerable. The types of devices will include Linux servers/desktops, home routers and smaller internet connected devices, or possibly even your fridge! Alternatively, think of those devices you have sat in the server room such as a climate monitoring device, door control system or network appliance that your IT team rarely go near. Often, it will be running a Linux based operating system and could well be vulnerable.
Known vulnerable distributions include (but are not limited to):
- Ubuntu 12.04
- Ubuntu 14.04
- Debian 7
- CentOS 6
- CentOS 7
- Red Hat Enterprise Linux 6
- Red Hat Enterprise Linux 7
- Any unsupported Linux distributions
How can we detect the issue?
There are a number of scripts available to perform manual detection of this vulnerability. See references included at the bottom of this page for details.
For customers who have a SureCloud Internal Appliance, a scan policy has been setup to specifically detect CVE-2015-7547. A scan can be configured through the SureCloud Platform using the tool policy ‘SureGuard: Vulnerability: glibc (CVE-2015-7547). Alternatively, see plugin ID’s 88784, 88793, 88768, 88798, 88797, 88785, 88783, 88806 and 88769.
What can we do to protect our organisation’s users?
To protect against this attack, update the version of glibc to the latest version, which is not affected.
Get in touch
Should you have any questions regarding this or any security matter, please do not hesitate to get in touch by opening a support ticket or emailing SureCloud Support.
Whilst every effort is made to ensure the accuracy and robustness of any information presented, it is not possible for SureCloud to test every possible scenario an organisation may face, and SureCloud cannot be held liable for any loss or damage which may arise from taking action on any of the contents provided. SureCloud strongly advises that all recommendations, solutions and detection methods detailed, are thoroughly reviewed and tested in non-production environments before being considered suitable for production release, in-line with any existing internal change control procedures.