eSentire White Logo

Security advisories | Feb 26, 2019

glibc getaddrinfo() Vulnerability (CVE-2015-7547)

Please be advised that a very serious vulnerability was recently announced to the way many versions of the Linux operating system handle DNS resolution. This vulnerability affects a variety of Linux servers and Linux-based appliances. In order to help our customers address this threat we have outlined the vector and mitigation methods applicable to this vulnerability below.

What We Know
What is CVE-2015-7547:
  • CVE-2015-7547 is a “buffer overflow” bug affecting the getaddrinfo() function calls in the glibc library
  • Earliest vulnerable glibc version: glibc-2.9 (released in May 2008)
  • The getaddrinfo() function calls are used for DNS resolution. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying specially crafted DNS responses to an application that performs DNS lookups
  • Many common Linux programs and commands like sudo, ssh, Python, mail servers, curl, and anything else that performs DNS lookups are potential targets for exploitation
  • A proof of concept exploit that allows remote code execution leveraging this vulnerability has been reported, although not publicly released
  • It has not yet been confirmed whether it is possible to craft correctly formed DNS responses that will trigger this vulnerability and penetrate through a DNS caching name server, thus allowing attackers to exploit victims who would otherwise be protected against such attacks
  • Although the vulnerability has some similarities to the GHOST vulnerability (CVE-2015-0235) announced last year, its implications are more serious and it needs to be addressed with a higher degree of urgency
Who is affected:
  • All versions of the Linux operating system running a vulnerable version of the GNU libc library (versions 2.9 through 2.22 are vulnerable). This includes:
eSentire protection:
  • Based on a recently released proof-of-concept exploit, eSentire has updated Network Interceptor™ signatures to detect attempts to exploit this vulnerability
  • In light of the seriousness of this vulnerability, we recommend that you immediately apply the appropriate security updates on all vulnerable Linux hosts
  • For firmware-based appliances, please consult your vendors for the latest vulnerability information and patches