A serious vulnerability in the GNU C Library, commonly known as glibc, were widely reported today. The GNU C Library is widely used on Linux systems and is used within routers that rely on Linux for their firmware. The vulnerability is within the getaddrinfo function that converts domain names, hostnames, and IP addresses between human-readable text and the structured binary formats used by the operating system. The vulnerability permits a buffer overflow attack to potentially allow the execution of arbitrary code on an affected system by an attacker.
An attacker could take advantage of the vulnerability through a lookup on an attacker controlled domain name or through compromised Domain Name System (DNS) servers, or via a man-in-the-middle attack where an attacker has the capabililty to alter DNS data flowing to/from the vulnerable system and DNS servers.
The vulnerability has been given the Common Vulnerabilities and Exposures (CVE) designation CVE-2015-7547. The issue was detected by Google researchers investigating a segmentation fault issue they encountered with a Secure Shell (SSH) application. The researches traced the issue to a buffer overflow inside glibc. When they reported the issue to the glibc maintainers, they found that the maintainers had been informed of the vulnerability in July and that individuals involved with the Red Hat distribution of Linux had also discovered the vulnerability and were working on a fix for it. The Google researchers disclosed the vulnerability today.
If you are responsible for a Linux system or other equipment that uses
glibc, you should update the software as soon as feasible. If you have a system
that uses the RPM
Package Manager, you can see what version of glibc is installed and the
build date for the package with
rpm -qi glibc. On systems that
use the open-source command-line package-management utility
you can issue the command
yum update glibc from the root account.
The currently available version for
CentOS Linux systems is glibc 2.17. CentOS is functionally compatible with its
Red Hat Enterprise
Extremely severe bug leaves dizzying number of software and devices vulnerable
By Dan Goodin
Date: February 16, 2016 Ars Technica
CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
Posted By: Fermin J. Serna, Staff Security Engineer and Kevin Stadmeyer, Technical Program Manager for Google
Date Posted: February 16, 2016
Google Online Security Blog