Serious Network Function Vulnerability Found In Glibc

An anonymous reader writes: A very serious security problem has been found and patched in the GNU C Library (Glibc). A heap-based buffer overflow was found in __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to make an application call to either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the program. The vulnerability is easy to trigger as gethostbyname() can be called remotely for applications that do any kind of DNS resolving within the code. Qualys, who discovered the vulnerability (nicknamed "Ghost") during a code audit, wrote a mailing list entry with more details, including in-depth analysis and exploit vectors.

From TFA

[Cola+Junkee]

" - We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example. "

So it's actually already been fixed. All that's needed here is for some distributions to push the fix out.

Re:From TFA

[XXeR]

But .. but now it has a CVE number and everything - so it must be scary

Written by somebody who clearly neither manages a large amount of hosts exposed to the Internet nor manages multiple environments in which there are some new hosts that are luckily patched along side other older hosts that have to run *slightly* older releases of distro's for one reason or another.

This IS a big deal.

Re:From TFA

[msobkow]

I just installed glibc updates for Debian, so I presume the fix has been pushed.

Re:From TFA

[phantomfive]

Also, please note, it's not enough to call gethostby functions for this bug to be a vulnerability. For it to be a vulnerability, you need several things:

1) A (more or less) specific sequence of function calls. Merely calling gethostby* itself won't do it.
2) The eventual call to gethostby on a string supplied by a hostile user.
3) Have another buffer hostile users to fill (not overflow).
4) A weakness of your program structure that allows four bytes to reference the other buffer.
5) Include a service that runs things on the command line.

Exim allowed all of those. You might be able to get away without number 5 present, but the program would need some other weakness to make it exploitable.

Not all code is vulnerable - getaddrinfo() is fine

[tlhIngan]

The affected call is gethostbyname() and friends, which have been deprecated by the more protocol-transparent getaddrinfo()/getnameinfo() set of APIs. If you use IPv6, getaddrinfo() is the only way (gethostbyname() and friends are AF_INET (IPv4) functions only), but they're protocol transparent ways to do DNS lookups (they can return AF_INET, AF_INET6 and any other valid address supported by the system and DNS).

Deep down, if you look closely, they mention that code using getaddrinfo() is not vulnerable to the bug.

Shortly after learning about getaddrinfo() I stuck to using it - far easier to use than gethostbyname() and less messy in the end. The only complication is having to call freeaddrinfo() when you're done.

Re:Open source code is open for everyone

[myowntrueself]

FOSS *is* more secure, and that's true even with the occasional vulnerability.

Loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooool.

Its true *ESPECIALLY* with the occasional vulnerability because thats a vulnerability thats been found, publicised and fixed unlike in the proprietary shit where the vulnerability will be found by a limited group of people and kept secret so they can use it.

Raspbian vulnerable

[redelm]

According to directions side-thread, glibc versions prior to 2.19 are vulnerable. Checking my machines, Slackware-current and Lubuntu-14.10 are fine. Only my poor tiny Raspberry Pis are vulnerable (2.13). But they run slowly enough I can watch the gethostbyname() lookups myself :)

Re:Open source code is open for everyone

[myowntrueself]

FOSS *is* more secure, and that's true even with the occasional vulnerability.

Loooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooool.

Its true *ESPECIALLY* with the occasional vulnerability because thats a vulnerability thats been found, publicised and fixed unlike in the proprietary shit where the vulnerability will be found by a limited group of people and kept secret so they can use it.

Oh, you mean those nice folks over in Eastern Europe?

and the intelligence network of the 5 main english speaking nations...

Re:Open source code is open for everyone

[peppepz]

In fact, the bug had already been audited and fixed, almost two years ago, when the security researchers found a way to exploit it. From TFA:

We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18)

Current glibc release is 2.20. That's three relases without the bug already.

Nothing to see here, move along.

Re: Open source code is open for everyone

[Aighearach]

You tried. Lots of people died, but the Union won the war. Trying again won't turn out better for you; you'll all die and your communities will be burnt to the ground.

The Civil War was a real thing. Us Americans are still willing to fight for our nation if you want to go that route again.