A critical vulnerability has been discovered in the GNU C library (glibc) which left almost all Linux machines, electronic devices and thousands of apps vulnerable to hackers. This vulnerability was discovered by researchers at Red Hat and Google, and has been patched.
What is GNU C library?
GNU C library is a collection of open source code that powers thousands of apps and is a key component of many Linux distributions. It is used as C library in the GNU system and most newer systems with the Linux kernel.
The vulnerability known as CVE-2015-7547 is stack-based buffer overflow vulnerability in glibc’s DNS client-side resolver which is used to translate human-readable domain names such as google.com, into network IP address. The vulnerability is same as last year’s GHOST vulnerability (CVE-2015-0235) due to which many machines were left vulnerable to the RCE (Remote Code Execution) attacks.
Recommended for you: Zero Day Flaw Discovered in Linux Kernel
How vulnerability works?
The flaw exploits when affected app or device make queries to a malicious DNS server that returns too much information to lookup request which floods the memory of program with code.
This code comprises vulnerable application and take over the control of whole system. It is possible to inject the domain name into server log files which, if resolved will trigger RCE. Also, a Secure Shell (SSH) client connecting to server could be compromised. An attacker has to bypass various operating system security mechanisms such as non-executable stack protection and ASLR – to achieve successful RCE attack.
An attacker on your network can perform a man-in-the-middle (MitM) attacks and interfere with DNS replies with aim to monitor and manipulate data flowing between Internet and vulnerable device.
Where glibc lacked?
Researchers found that the error occurred due to buffer overflow bug inside the glibc library.
“The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack,” wrote Google researcher, Fermin J. Serna. “Our suggested mitigation is to limit the response (i.e., via DNSMasq or similar programs) sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers, which limit the response size for UDP responses with the truncation bit set.”
Affected devices and software
All versions of glibc after 2.9 are vulnerable. Therefore, any application or software that connects to things on a network and uses glibc is at risk. SSH, curl and sudo utilities are known to be affected by the buffer overflow bug. This vulnerability can extend to all major software, including:
- Programming languages such as PHP, Ruby on Rails and Python
- All distributions of Linux
- Most of the Bitcoin software are vulnerable too
Who are not affected?
Android mobile operating system is not vulnerable to this flaw. According to a Google representative, the company uses glibc substitute known as Bionic which is not susceptible. In addition, lot of embedded Linux devices, including home routers and gadgets are not affected by this bug, because these devices use uclibc library.
Proof-of-Concept Exploit released
Google researcher, Fermin J. Serna released Proof-of-Concept (POC). With this POC code, one can verify if he/she is affected by this critical flaw or not.
Patch glibc vulnerability
Google researchers have released a patch to fix this flaw. But, this is up to the community behind the Linux OS to release the patch.