[aklug] Re: Fwd: FW: very bad glibc bug (CVE-2015-7547)

From: JP <jp@jptechnical.com>
Date: Tue Feb 16 2016 - 16:44:07 AKST

Ugh...

thanks Royce.

On Tue, Feb 16, 2016, 2:53 PM Royce Williams <royce@tycho.org> wrote:

> Still researching, but this is a serious vulnerability will likely need an
> out-of-band patch for many Linux systems and appliances, with a special
> focus on anything processing inbound connections (email, SSH, VPN, Citrix,
> etc.)
>
>
>
> Some good summaries:
>
>
>
>
> http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/
>
>
>
> *It can be exploited when vulnerable devices or apps make queries to
> attacker-controlled domain names or domain name servers or when they're
> exposed to man-in-the-middle attacks
> <https://en.wikipedia.org/wiki/Man-in-the-middle_attack> where the
> adversary has the ability to monitor and manipulate data passing between a
> vulnerable device and the open Internet. All versions of glibc after 2.9
> are vulnerable.*
>
>
>
> *[…] including virtually all distributions of Linux; the Python, PHP, and
> Ruby on Rails programming languages; and many other things that uses Linux
> code to look up the numerical IP address of an Internet domain*
>
>
>
>
> https://isc.sans.edu/forums/diary/CVE20157547+Critical+Vulnerability+in+glibc+getaddrinfo/20737/
>
>
>
> *The exploit will likely trigger a DNS lookup from a vulnerable system.
> DNS lookups can be triggered in many ways: An image embedded in a web page,
> an email sent that is processed by a spam filter (which involves DNS
> lookups) are just two of many options. *
>
>
>
>
>
> Mitigation:
>
>
>
> 1. Instrument how many DNS responses you get are legitimately larger
> than 2048 bytes
>
> 2. With this info in hand, judge whether or not you can block all
> inbound DNS replies larger than 2048.
>
>
>
>
>
> Vulnerable:
>
>
>
> - SSH, wget, sudo, curl, -- a loooooooong list, still being
> determined.
>
> - RHEL: 5 too old to be affected, but 6 and 7 are.
>
> - Debian and its children (Ubuntu) – squeeze, wheezy, jessie
>
>
>
> PoC: https://github.com/fjserna/CVE-2015-7547
>
>
>
> Other refs:
>
> https://access.redhat.com/security/cve/cve-2015-7547
>
>
> https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
>
> https://sourceware.org/bugzilla/show_bug.cgi?id=18665
>
>
>
>
>
> Royce
>
>
>

-- 
*JP (Jesse Perry)*
voice/txt: 907-748-2200
email: jp@jptechnical.com
web: http://jptechnical.com
support: helpdesk@jptechnical.com
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
Received on Tue Feb 16 15:02:00 2016

This archive was generated by hypermail 2.1.8 : Tue Feb 16 2016 - 15:02:00 AKST