Today, we’d like to draw your attention to a rather serious vulnerability in the Linux glibc library. Using this exploit, an attacker is capable of taking complete control of a victim’s system without requiring access to or knowledge of that system’s credentials. Thankfully, patches are already available for the vulnerability across all distributions- we advise all clients and hosts who have not already done so to update their glibc packages.
The issue, assigned the categorization of CVE-2015-0235, allows the creation of a heap-based buffer overflow in _nss_hostname_digits_dots(); used by both the gethostbyname() and gethostbyname2() glibc function calls. By making an application call to either of those functions, a remote attacker is capable of running arbitrary code under the identity of the application owner.
The glitch was first discovered by Qualsys researchers during a routine code audit. Virtually any type of server can be attacked by the bug, as the gethostbyname() call is among the most common functions in Linux.
“This bug can be triggered both locally and remotely via all the gethostbyname*() functions,” reads a post on the Qualys blog. “Applications have access to the DNS resolver primarily through the gethostbyname(*) set of functions. These functions convert a hostname into an IP address.”
Qualys also posted a brief video advisory on the vulnerability, which bypasses all existing protections and security measures on both 32- and 64-bit systems.
“The first vulnerable version of the GNU C Library affected by this is glibc-2.2, released on November 10, 2000;” continues the article. “We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18).”
“Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed including Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example.”
Nexcess is actively patching out the bug across all its systems. Users should not notice any serious disruptions in service as we update, however, there will be a graceful restart applied to sshd, as the update forces an sshd service restart in its post-upgrade script. Other services that are found to be impacted by this glibc library will be scheduled to be gracefully restarted as needed.Posted in: Security