CVE-2015-7547: glibc vulnerability in getaddrinfo() function

Google researchers Fermin J. Serna and Kevin Stadmeyer released a blog post on February 16th, 2016 stating that they found a stack-based buffer overflow vulnerability in the getaddrinfo function in glibc.

The stack-based buffer overflow was found in the way the libresolv library performed dual A (IPv4) and AAAA (IPv6) DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library.

Please note: though the disclosure specifically mentions IPv6 AAAA queries, whether or not IPv6 is deployed or disabled is irrelevant to the vulnerability being exploited!

This discovery is significant for a number of reasons:

  • Pretty much every Linux system uses glibc, and getaddrinfo is typically used to resolve IP addresses. Which means Linux servers as well as workstations, are vulnerable unless it runs an older version of glibc.
  • Google isn’t the first one that spotted the bug, but determined it’s significance in collaboration with Redhat.
  • Google was able to create a PoC (proof of concept) exploit. While exploitation depends on the countermeasures systems use for stack based buffer overflows, it is possible to exploit the bug and achieve command execution.
  • The exploit will likely trigger a DNS lookup from a vulnerable system. DNS lookups can be triggered in many ways: An image embedded in a web page, an email sent that is processed by a spam filter (which involves DNS lookups) are just two of many options.


Who’s affected?

All versions of glibc after 2.9 are vulnerable. Version 2.9 was introduced all the way back in May 2008.

This vulnerability affects the libraries shipped with RHEL/CentOS versions 6.x and 7.x only. RHEL/CentOS Versions 5.x are not affected and do not require patching.

It also affects Debian based systems (squeeze, wheezy and jessie). Patched versions have been pushed to all major vendor repositories by now and everyone is urged to update as soon as possible.


What can you do?

  • Patch your own systems! Whether its your workstations, laptops or server(s). Update as soon as possible.
  • Make sure all systems use a specific resolver and block outbound DNS unless it originates from this resolver (this is a good idea anyway!). This will limit exposure to the resolver, ultimately reducing the threat.



!!! Important !!!

ALL affected servers will experience some duration of downtime or service outages!



Why?

GLIBC is the GNU Project’s implementation of the C standard library. The C standard library provides macros, type definitions, and functions for tasks like string handling, mathematical computations, input/output processing, memory management and several other operating system services.

This library is a critical dependency to nearly every binary or service that run on a typical linux machine. Everything from sshd/bash and mail/ftp services to every component of a LAMP stack is linked to glibc and will need to be restarted in order to link to the new library that is patched against this vulnerability.

Many vendors are advising that you reboot your system after patching. While this surely will ensure all linking to the vulnerable library is eliminated, it is not necessary.

After applying the patches, you can use the lsof command to find binaries/services running that are still holding onto the old library:

lsof +c0 | grep libc- | grep deleted

Certain binaries, such as init do not need to be touched since it has no reliance on the vulnerable getaddrinfo function.

You can confirm this using objdump like so:

objdump -T /sbin/init | grep getaddrinfo


References

https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
https://access.redhat.com/security/cve/cve-2015-7547
https://github.com/fjserna/CVE-2015-7547