Ugh...
thanks Royce.
On Tue, Feb 16, 2016, 2:53 PM Royce Williams <royce@tycho.org> wrote:
> Still researching, but this is a serious vulnerability will likely need an
> out-of-band patch for many Linux systems and appliances, with a special
> focus on anything processing inbound connections (email, SSH, VPN, Citrix,
> etc.)
>
>
>
> Some good summaries:
>
>
>
>
> http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/
>
>
>
> *It can be exploited when vulnerable devices or apps make queries to
> attacker-controlled domain names or domain name servers or when they're
> exposed to man-in-the-middle attacks
> <https://en.wikipedia.org/wiki/Man-in-the-middle_attack> where the
> adversary has the ability to monitor and manipulate data passing between a
> vulnerable device and the open Internet. All versions of glibc after 2.9
> are vulnerable.*
>
>
>
> *[…] including virtually all distributions of Linux; the Python, PHP, and
> Ruby on Rails programming languages; and many other things that uses Linux
> code to look up the numerical IP address of an Internet domain*
>
>
>
>
> https://isc.sans.edu/forums/diary/CVE20157547+Critical+Vulnerability+in+glibc+getaddrinfo/20737/
>
>
>
> *The exploit will likely trigger a DNS lookup from a vulnerable system.
> DNS lookups can be triggered in many ways: An image embedded in a web page,
> an email sent that is processed by a spam filter (which involves DNS
> lookups) are just two of many options. *
>
>
>
>
>
> Mitigation:
>
>
>
> 1. Instrument how many DNS responses you get are legitimately larger
> than 2048 bytes
>
> 2. With this info in hand, judge whether or not you can block all
> inbound DNS replies larger than 2048.
>
>
>
>
>
> Vulnerable:
>
>
>
> - SSH, wget, sudo, curl, -- a loooooooong list, still being
> determined.
>
> - RHEL: 5 too old to be affected, but 6 and 7 are.
>
> - Debian and its children (Ubuntu) – squeeze, wheezy, jessie
>
>
>
> PoC: https://github.com/fjserna/CVE-2015-7547
>
>
>
> Other refs:
>
> https://access.redhat.com/security/cve/cve-2015-7547
>
>
> https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=18665
>
>
>
>
>
> Royce
>
>
>
-- *JP (Jesse Perry)* voice/txt: 907-748-2200 email: jp@jptechnical.com web: http://jptechnical.com support: helpdesk@jptechnical.com --------- To unsubscribe, send email to <aklug-request@aklug.org> with 'unsubscribe' in the message body.Received on Tue Feb 16 15:02:00 2016
This archive was generated by hypermail 2.1.8 : Tue Feb 16 2016 - 15:02:00 AKST