Google and Red Hat have independently discovered a security vulnerability introduced on a Glibc library update of 2008.
Glibc, the GNU C library itself at the base of the GHOST vulnerability discovered last year, is potentially susceptible to another critical flaw involving almost all machines based on Linux and also some network framework where the code is used. Old and active for several years, the vulnerability was discovered by Google and Red Hat and only disclosed last Tuesday after being corrected. At the time of writing we are available for a corrective patch.
The flaw was introduced in 2008 within the GNU C library, collection of open-source code used in a variety of stand-alone applications, and several Linux distributions, including those designed for embedded or router solutions. One of the useful features for the DNS and domain name lookup contains a buffer overflow bug that allows external attackers to execute malicious code in specific and circumscribed situations. The exploit can be executed when systems or apps affected by the bug are victims of man-in-the-middle or searching on DNS domains or controlled by the attacker.
The maintainer of glibc have already released a patch to fix the vulnerability and the update operations for that running Linux-based hardware or software are highly recommended. But if for the Linux server operators, upgrade requires the simple installation of the package, the situation may not be as immediate for other types of users currently using applications or services affected by the bug. This fact must wait for individual apps are recompiled with the new updated Glibc, a process that might not be so quick and that depends on the application developers and hardware manufacturers.
Pending updates managers of potentially affected systems can protect themselves with an absolutely temporary procedure that Google has stated in the past few hours: ” The vulnerability is based on a TCP or UDP response oversized (2048 bytes or more). Our suggestion to mitigate the problem is to limit the response (with DNSMasq or similar) in size accepted by the local DNS resolve, and make sure that the DNS queries are sent only to DNS servers that limit the size of UDP ” response.
The bug is present in version Gblic 2.9 released in May of 2008, but was discovered and reported to the maintainers only last July. Based on what you can read in the documents released to the public, it seems that the leak has never been publicly exploited. Now that has been made public the upgrade is absolutely recommended because an attacker might target the more vulnerable systems. The attack is not of the simplest.
Google has commented that ” the execution of remote code. You can, but it’s not that simple. To do that you need such as bypass security solutions on the system, such as ASLR. ” Recall that Android is based on Linux, but does not use Glibc, but a substitute called Bionic. The operating system of the green robot is then invulnerable and absolutely external to the security flaw. More information can be found at this address.