MS-ISAC CYBERSECURITY ADVISORIES
MS-ISAC ADVISORY NUMBER:
Multiple Vulnerabilities in GNU C Library Could Allow for Arbitrary Code Execution
Multiple vulnerabilities has been discovered in the GNU C Library (glibc), which could allow for arbitrary code execution. This library is required in all modern distributions of Linux as it defines the system calls and other basic facilities used in the Linux kernel. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the exploited application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts could lead to a denial of service condition for the affected application.
A proof of concept has been publicly released. There are currently no reports of this vulnerability being exploited in the wild.
GNU C Library (glibc) versions 2.9 through 2.22 which may affect most Linux-based systems and applications compiled with glibc.
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
TECHNICAL SUMMARY:Multiple vulnerabilities in GNU C Library (glibc) could allow for arbitrary code execution
- An arbitrary code execution vulnerability exits in the host name resolver â€˜getaddrinfoâ€™ function due to a stack-based buffer overflow (CVE-2015-7547).
- A denial of service vulnerability exists in the â€˜nss_files databaseâ€™ (CVE-2014-8121)
- A buffer overflow vulnerability exits in the â€˜_r variantsâ€™host name resolution functions which may result in arbitrary code execution (CVE-2015-1781).
- An information leak vulnerability exits in â€˜strftimeâ€™ (CVE-2015-8776).
- A security bypass vulnerability exits in LD_POINTER_GUARD (CVE-2015-8777).
- A denial of service vulnerability exists in the â€˜hcreateâ€™ and â€˜hcreate_r functionsâ€™ due to a failed bounds check (CVE-2015-8778).
- A denial of service vulnerability exists in â€˜catopenâ€™ due to several unbound stack allocations (CVE-2015-8779).
- An arbitrary code execution vulnerability exits in â€˜strxfrmâ€™ due to an integer overflow.
- A denial of service vulnerability exists in the â€˜nmatchâ€™ function when processessing NUL character of a malformed pattern.
- A heap-based buffer overflow exits in the IO_wstr_overflow function.
- A denial of service vulnerability exists in the â€˜_nss_dns_gethostbyname4_r functionâ€™ which may result in a memory leak.
An attacker can exploit these vulnerabilities to execute arbitrary code in the context of the affected application. Successful exploitation of these vulnerabilities may result in an attacker gaining the same privileges as the exploited application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts could lead to a denial of service condition for the affected application.
RECOMMENDATIONS:We recommend the following actions be taken:
- Apply appropriate patches provided by the affected Linux distribution to the vulnerable systems immediately after appropriate testing.
- Run all software as a non-privileged user to diminish the effects of a successful attack.
- Contact device vendors to determine if equipment on your infrastructure is affected.
- Review internal applications to determine if they were compiled with the vulnerable versions of glibc.
- Temporary mitigation techniques include:
- Dropping all UDP DNS packets greater than 512 bytes at the firewall.
- A local resolver (that drops non-compliant responses).
- Avoid dual A and AAAA queries
- Prohibit use of `options edns0` in /etc/resolv.conf
- Limit all TCP replies to 1024 bytes.
Google Online Security Blog: