Still researching, but this is a serious vulnerability will likely need an
out-of-band patch for many Linux systems and appliances, with a special
focus on anything processing inbound connections (email, SSH, VPN, Citrix,
etc.)
Some good summaries:
*It can be exploited when vulnerable devices or apps make queries to
attacker-controlled domain names or domain name servers or when they're
exposed to man-in-the-middle attacks
<https://en.wikipedia.org/wiki/Man-in-the-middle_attack> where the
adversary has the ability to monitor and manipulate data passing between a
vulnerable device and the open Internet. All versions of glibc after 2.9
are vulnerable.*
*[…] including virtually all distributions of Linux; the Python, PHP, and
Ruby on Rails programming languages; and many other things that uses Linux
code to look up the numerical IP address of an Internet domain*
https://isc.sans.edu/forums/diary/CVE20157547+Critical+Vulnerability+in+glibc+getaddrinfo/20737/
*The exploit will likely trigger a DNS lookup from a vulnerable system. DNS
lookups can be triggered in many ways: An image embedded in a web page, an
email sent that is processed by a spam filter (which involves DNS lookups)
are just two of many options. *
Mitigation:
1. Instrument how many DNS responses you get are legitimately larger
than 2048 bytes
2. With this info in hand, judge whether or not you can block all
inbound DNS replies larger than 2048.
Vulnerable:
- SSH, wget, sudo, curl, -- a loooooooong list, still being
determined.
- RHEL: 5 too old to be affected, but 6 and 7 are.
- Debian and its children (Ubuntu) – squeeze, wheezy, jessie
PoC: https://github.com/fjserna/CVE-2015-7547
Other refs:
https://access.redhat.com/security/cve/cve-2015-7547
https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
https://sourceware.org/bugzilla/show_bug.cgi?id=18665
Royce
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Feb 16 13:10:40 2016
This archive was generated by hypermail 2.1.8 : Tue Feb 16 2016 - 13:10:40 AKST