glibc getaddrinfo() Vulnerability (CVE-2015-7547)

Please be advised that a very serious vulnerability was recently announced to the way many versions of the Linux operating system handle DNS resolution. This vulnerability affects a variety of Linux servers and Linux-based appliances. In order to help our customers address this threat we have outlined the vector and mitigation methods applicable to this vulnerability below.

What We Know

What is CVE-2015-7547:

• CVE-2015-7547 is a “buffer overflow” bug affecting the getaddrinfo() function calls in the glibc library
• Earliest vulnerable glibc version: glibc-2.9 (released in May 2008)
• The getaddrinfo() function calls are used for DNS resolution. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying specially crafted DNS responses to an application that performs DNS lookups
• Many common Linux programs and commands like sudo, ssh, Python, mail servers, curl, and anything else that performs DNS lookups are potential targets for exploitation
• A proof of concept exploit that allows remote code execution leveraging this vulnerability has been reported, although not publicly released
• It has not yet been confirmed whether it is possible to craft correctly formed DNS responses that will trigger this vulnerability and penetrate through a DNS caching name server, thus allowing attackers to exploit victims who would otherwise be protected against such attacks
• Although the vulnerability has some similarities to the GHOST vulnerability (CVE-2015-0235) announced last year, its implications are more serious and it needs to be addressed with a higher degree of urgency

Who is affected:

• All versions of the Linux operating system running a vulnerable version of the GNU libc library (versions 2.9 through 2.22 are vulnerable). This includes:
  • Debian (squeeze and later)
  • Ubuntu (12.04 LTS and newer)
  • RHEL 6/7
  • SUSE 11
  • Appliances running Linux-based firmware may also be vulnerable (an ongoing list of affected devices is being compiled here: https://www.reddit.com/r/networking/comments/46jfjf/cve20157547_mega_thread/)

Protection

eSentire protection:

• Based on a recently released proof-of-concept exploit, eSentire has updated Network Interceptor™ signatures to detect attempts to exploit this vulnerability
• In light of the seriousness of this vulnerability, we recommend that you immediately apply the appropriate security updates on all vulnerable Linux hosts
• For firmware-based appliances, please consult your vendors for the latest vulnerability information and patches

Resources

• https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
• https://blog.cloudflare.com/a-tale-of-a-dns-exploit-cve-2015-7547/
• http://dankaminsky.com/2016/02/20/skeleton/#dns