Please be advised that a very serious vulnerability was recently announced to the way many versions of the Linux operating system handle DNS resolution.  This vulnerability affects a variety of Linux servers and Linux-based appliances. In order to help our customers address this threat we have outlined the vector and mitigation methods applicable to this vulnerability below.

What We Know
What is CVE-2015-7547:
  • CVE-2015-7547 is a “buffer overflow” bug affecting the getaddrinfo() function calls in the glibc library
  • Earliest vulnerable glibc version:  glibc-2.9 (released in May 2008)
  • The getaddrinfo() function calls are used for DNS resolution. To exploit this vulnerability, an attacker must trigger a buffer overflow by supplying specially crafted DNS responses to an application that performs DNS lookups
  • Many common Linux programs and commands like sudo, ssh, Python, mail servers, curl, and anything else that performs DNS lookups are potential targets for exploitation
  • A proof of concept exploit that allows remote code execution leveraging this vulnerability has been reported, although not publicly released
  • It has not yet been confirmed whether it is possible to craft correctly formed DNS responses that will trigger this vulnerability and penetrate through a DNS caching name server, thus allowing attackers to exploit victims who would otherwise be protected against such attacks
  • Although the vulnerability has some similarities to the GHOST vulnerability (CVE-2015-0235) announced last year, its implications are more serious and it needs to be addressed with a higher degree of urgency
Who is affected:
  • All versions of the Linux operating system running a vulnerable version of the GNU libc library (versions 2.9 through 2.22 are vulnerable).  This includes:
eSentire protection:
  • Based on a recently released proof-of-concept exploit, eSentire has updated Network Interceptor™ signatures to detect attempts to exploit this vulnerability
  • In light of the seriousness of this vulnerability, we recommend that you immediately apply the appropriate security updates on all vulnerable Linux hosts
  • For firmware-based appliances, please consult your vendors for the latest vulnerability information and patches

See the latest security advisories

Articles and reports written by eSentire staff and our Threat Intelligence Research Group.

Ready to get started?
We're here to help.

Get Started
Reach out to schedule a meeting and learn more about our Managed Detection and Response, Risk Advisory and Managed Prevention capabilities.