Security experts have reported a potentially catastrophic flaw in one of the Internet’s core building blocks. Unfortunately, the flaw can leave thousands of applications and hardware devices vulnerable to attacks that can take complete control over them.
Initially, the vulnerability was presented back in 2008 in GNU C Library, a collection of open source code that powers thousands of standalone applications and most distributions of Linux, including those distributed with routers and other types of hardware. A function known as getaddrinfo() which performs domain-name lookups contains a buffer overflow bug that lets hackers remotely execute malicious code.
It can be exploited when vulnerable devices or applications make queries to attacker-controlled domain names or domain name servers or when they’re exposed to man-in-the-middle attacks where the adversary has the ability to monitor and manipulate data passing between a vulnerable device and the open Internet. All versions of glibc after 2.9 are vulnerable.
The open source library – glibc released an update which patches the vulnerability. Those, who are responsible for Linux-based software or hardware that performs domain name lookups should install it immediately.
Many users consider patching as a simple matter of downloading the update and installing it. However, there are others who think that a fix may not be so easy. Some applications which were compiled with a vulnerable version of glibc will have to be recompiled with an updated version of the library. Nevertheless, this process will take time due to the fact that users wait for fixes to become available from hardware manufacturers and app developers.
“It’s a big deal,” the security researcher Kenn White said, regarding the vulnerability.
“This is a core bedrock function across Linux. Things that do domain name lookups have a real vulnerability if the attacker can answer.”
The secure sudo and curl utilities are all known to be vulnerable and widely-used. Also, the experts warn that the list of other affected applications or code is almost too diverse and numerous to fully enumerate.
On Tuesday, Kenn White used a proof-of-concept exploit to determine that the version of the Wget utility he uses to test and query Web servers was vulnerable. White suspects that the vulnerability extends to an almost incomprehensibly large body of software, including virtually all distributions of Linux; the Python, PHP, and Ruby on Rails programming languages; and many other things that uses Linux code to look up the numerical IP address of an Internet domain. Most Bitcoin software is said to be vulnerable too.
The only Linux-based package which is not vulnerable is Google’s Android mobile operating system. It uses a glibc substitute known as Bionic and isn’t susceptible, according to a company representative.
On Tuesday, the vulnerability indexed as CVE-2015-7547, was disclosed by Google researchers. According to their report, they stumbled on the vulnerability when one of their SSH applications experienced an extremely serious error known as a segmentation fault each time it tried to contact a specific Internet address. Eventually, the Google engineers figured out that the error was caused by a buffer overflow inside glibc that made malicious code-execution attacks possible and notified glibc maintainers after that.
The researchers learned that glibc maintainers had been warned about the vulnerability last July, and the people who work for the Red Hat Linux distribution had also independently discovered the bug and were working on a fix.
“This was an amazing coincidence, and thanks to their hard work and cooperation, we were able to translate both teams’ knowledge into a comprehensive patch and regression test to protect glibc users,” the researchers from Google stated.
They also explained that weaponized exploits which successfully execute malicious code are “possible, but not straightforward” since they require the bypassing of address space layout randomization and other protections designed to make software more resistant to attacks.
In order to prevent the vulnerability from being exploited maliciously, Google researchers aren’t releasing the more advanced exploit they developed. The previously mentioned proof-of-concept attack hardly crashes an application, so users can figure out if it’s vulnerable.
Google’s blog stated:
“Google has found some mitigations that may help prevent exploitation if you are not able to immediately patch your instance of glibc. The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack. Our suggested mitigation is to limit the response (i.e., via DNSMasq or similar programs) sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers which limit the response size for UDP responses with the truncation bit set.”
At the same time, Glibc maintainers provided the following additional mitigation details:
Mitigating factors for UDP include:
- A firewall that drops UDP DNS packets > 512 bytes.
- A local resolver (that drops non-compliant responses).
- Avoid dual A and AAAA queries (avoids buffer management error) e.g.
- Do not use AF_UNSPEC.
- No use of `options edns0` in /etc/resolv.conf since EDNS0 allows
responses larger than 512 bytes and can lead to valid DNS responses
- No use of `RES_USE_EDNS0` or `RES_USE_DNSSEC` since they can both
lead to valid large EDNS0-based DNS responses that can overflow.
Mitigating factors for TCP include:
Limit all replies to 1024 bytes.
Mitigations that don’t work:
- Setting `options single-request` does not change buffer management
and does not prevent the exploit.
- Setting `options single-request-reopen` does not change buffer
management and does not prevent the exploit.
- Disabling IPv6 does not disable AAAA queries. The use of AF_UNSPEC
unconditionally enables the dual query.
- The use of `sysctl -w net.ipv6.conf.all.disable_ipv6=1` will not
protect your system from the exploit.
- Blocking IPv6 at a local or intermediate resolver does not work to
prevent the exploit. The exploit payload can be delivered in A or
AAAA results, it is the parallel query that triggers the buffer
The researchers will need more time to analyze the latest bug, however, it turns out it poses the biggest threat to routers and Internet-of-things devices that use glibc. These devices rarely contain the types of No-eXecute and ASLR mitigations which come standard on most production servers, making code-execution exploits much easier to develop. Besides, hardware is rarely updated, making it unlikely vulnerable devices will ever be patched. Fortunately, many home routers use glibc alternatives which have yet to be reported as vulnerable. Keep in mind that it could take weeks for a complete list of vulnerable devices to be released.