Please be advised that a very serious vulnerability was recently announced to the way many versions of the Linux operating system handle DNS resolution. This vulnerability affects a variety of Linux servers and Linux-based appliances. In order to help our customers address this threat we have outlined the vector and mitigation methods applicable to this vulnerability below.
What We Know
What is CVE-2015-7547:
- CVE-2015-7547 is a “buffer overflow” bug affecting the getaddrinfo() function calls in the glibc library
- Earliest vulnerable glibc version: glibc-2.9 (released in May 2008)
- The getaddrinfo() function calls are used for DNS resolution. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying specially crafted DNS responses to an application that performs DNS lookups
- Many common Linux programs and commands like sudo, ssh, Python, mail servers, curl, and anything else that performs DNS lookups are potential targets for exploitation
- A proof of concept exploit that allows remote code execution leveraging this vulnerability has been reported, although not publicly released
- It has not yet been confirmed whether it is possible to craft correctly formed DNS responses that will trigger this vulnerability and penetrate through a DNS caching name server, thus allowing attackers to exploit victims who would otherwise be protected against such attacks
- Although the vulnerability has some similarities to the GHOST vulnerability (CVE-2015-0235) announced last year, its implications are more serious and it needs to be addressed with a higher degree of urgency
Who is affected:
- All versions of the Linux operating system running a vulnerable version of the GNU libc library (versions 2.9 through 2.22 are vulnerable). This includes:
- Debian (squeeze and later)
- Ubuntu (12.04 LTS and newer)
- RHEL 6/7
- SUSE 11
- Appliances running Linux-based firmware may also be vulnerable (an ongoing list of affected devices is being compiled here: https://www.reddit.com/r/networking/comments/46jfjf/cve20157547_mega_thread/)
Protection
eSentire protection:
- Based on a recently released proof-of-concept exploit, eSentire has updated Network Interceptor™ signatures to detect attempts to exploit this vulnerability
- In light of the seriousness of this vulnerability, we recommend that you immediately apply the appropriate security updates on all vulnerable Linux hosts
- For firmware-based appliances, please consult your vendors for the latest vulnerability information and patches
