A Vulnerability in GNU C Library Could Allow for Remote Code Execution

ITS Advisory Number: 
2016-031
Date(s) Issued: 
Wednesday, February 17, 2016
Subject: 
A Vulnerability in GNU C Library Could Allow for Remote Code Execution
Overview: 

A vulnerability has been discovered in the GNU C Library (glibc) which could allow for remote code execution. This library is required in all modern distributions of Linux as it defines the system calls and other basic facilities used in the Linux kernel. There are currently no reports of this vulnerability being exploited in the wild. However, a proof of concept exploit has been publically released.

Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the exploited application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts could lead to a denial of service condition for the affected application. 

Systems Affected: 
  • All versions of glibc after version 2.9
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

A stack-based buffer overflow vulnerability has been discovered in GNU libc that could allow remote code execution on the affected device. The glibc host name resolver function, getaddrinfo, when processing AF_UNSPEC queries (for dual A/AAAA lookups), could mismanage its internal buffers. This would then lead to a stacked-based buffer overflow and arbitrary code execution. This affects most applications when they perform host name resolution using getaddrinfo, including system services.

Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the exploited application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts could lead to a denial of service condition for the affected application.

Actions: 
  • Apply appropriate patches to the vulnerable systems immediately after appropriate testing.
  • Block outbound DNS unless it originates from a trusted resolver
  • Consider restricting DNS response sizes to 1024 for TCP and 512 for UDP
  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.