glibc vulnerable to stack buffer overflow in DNS resolver
Original Release date: 17 Feb 2016 | Last revised: 29 Feb 2016

Overview
GNU glibc contains a buffer overflow vulnerability in the DNS resolver, which may allow a remote attacker to execute arbitrary code.

Description

CWE-121: Stack-based Buffer Overflow – CVE-2015-7547
According to a Google security blog post:”The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used.
Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.”According to glibc developers, the vulnerable code was initially added in May 2008 as part of the development for glibc 2.9.

All versions from 2.9 (originally released November 2008) to 2.22 appear to be affected.More details and analysis are available in the patch announcement from glibc developers.

Impact

The getaddrinfo() function allows a buffer overflow condition in which arbitrary code may be executed.

The impact may vary depending on if the use case is local or remote.

Solution

Apply an updateA patch for glibc is available.

Affected users should apply the patch as soon as possible.

The patch will also be included as part of the upcoming glibc 2.23 release.The Vendor Status information below provides more information on updates.

Vendor Information (Learn More)

Some embedded operating systems or older, no longer supported versions of linux distributions may contain an older version of glibc that is vulnerable. Please check with your vendor to find out if you need to upgrade to a newer operating system in order to address this issue.

Vendor
Status
Date Notified
Date Updated
Android Open Source Project
Affected
17 Feb 2016
23 Feb 2016
Arista Networks, Inc.
Affected
17 Feb 2016
17 Feb 2016
Blue Coat Systems
Affected
17 Feb 2016
26 Feb 2016
Cisco
Affected
17 Feb 2016
18 Feb 2016
Debian GNU/Linux
Affected
17 Feb 2016
17 Feb 2016
Gentoo Linux
Affected
17 Feb 2016
17 Feb 2016
GNU glibc
Affected
17 Feb 2016
17 Feb 2016
Red Hat, Inc.
Affected
17 Feb 2016
17 Feb 2016
Ubuntu
Affected
17 Feb 2016
17 Feb 2016
EfficientIP
Not Affected

18 Feb 2016
Openwall GNU/*/Linux
Not Affected
17 Feb 2016
22 Feb 2016
PC-BSD
Not Affected
17 Feb 2016
17 Feb 2016
TCPWave
Not Affected

18 Feb 2016
ACCESS
Unknown
17 Feb 2016
17 Feb 2016
Alcatel-Lucent
Unknown
17 Feb 2016
17 Feb 2016
If you are a vendor and your product is affected, let us know.View More »CVSS Metrics (Learn More)
Group
Score
Vector
Base
10.0
AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal
8.1
E:POC/RL:TF/RC:C
Environmental
8.1
CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit
This vulnerability was disclosed by Fermin J.
Serna and Kevin Stadmeyer of Google and Florian Weimer and Carlos O’Donell of Red Hat.

Google thanks: “Neel Mehta, Thomas Garnier, Gynvael Coldwind, Michael Schaller, Tom Payne, Michael Haro, Damian Menscher, Matt Brown, Yunhong Gu, Florian Weimer, Carlos O’Donell and the rest of the glibc team for their help figuring out all details about this bug, exploitation, and patch development.”
This document was written by Garret Wassermann.

Other Information
CVE IDs: CVE-2015-7547
Date Public: 16 Feb 2016
Date First Published: 17 Feb 2016
Date Last Updated: 29 Feb 2016
Document Revision: 49

Feedback
If you have feedback, comments, or additional information about this vulnerability, please send us email.