Last week, Google and Red Hat revealed they had discovered a serious vulnerability in the GNU C Library, a collection of software present on almost all Linux servers and used by many Linux-based applications. The vast majority of web hosting platforms — including ours — run on Linux.
I’d like to take a quick look at how this vulnerability impacts web hosting platforms and their clients, but before we get into the details, it should be pointed out that patches to fix the vulnerability were quickly released and have been applied to all of our hosting servers. Nexcess clients are no longer vulnerable.
The GNU C Library, usually referred to as glibc, is a set of libraries that can be found on almost every Linux server. A library is a collection of functions and tools that are used by other programs. Libraries like glibc are used because many applications have features that do the same thing: saving a file to disk or making a network connection are common examples. It is more efficient to develop those features once, include them in a library, and allow other applications to use them, rather than developing them afresh for each application.
The functions contained in glibc are used by many thousands of applications, including web servers, programming languages like PHP, and utilities like sudo, ssh, curl, and wget.
In this case, the problem is in the getaddrinfo() function, which is responsible for looking up domain names and is used by a vast amount of software. Because this function is vulnerable to a buffer overflow attack, if it receives a maliciously crafted response to a DNS lookup, the server can be coerced into executing arbitrary code.
Now, almost every web hosting server on the planet was vulnerable to this exploit, but that doesn’t mean web hosting clients should worry unduly. It is a serious vulnerability, but it appears that no one was actively exploiting it in the wild, and it would be quite difficult for them to do so.
An attacker would have to force a client application to make a DNS request to domains under the attacker’s control and have specially coded DNS software make a specific response. The most obvious way to achieve this would be via a man-in-the-middle attack in which the attacker intercepts data flowing between a server and client. The attacker would also have to overcome built-in protections in Linux servers like address space layout randomization to execute code remotely.
If you’re interested in the technical details of the vulnerability, Google has an excellent writeup.
For the majority of web hosting clients, there’s no need to worry. This is a difficult-to-exploit vulnerability and there’s no evidence that it has been actively exploited by attackers. Patches were released quickly following its disclosure, and our servers have been updated so that they are no longer vulnerable.Posted in: Security