Slashdot Mirror

← Back to Stories (view on slashdot.org)

Serious Network Function Vulnerability Found In Glibc

Posted by Soulskill on from the audits-finding-gold dept.

An anonymous reader writes: A very serious security problem has been found and patched in the GNU C Library (Glibc). A heap-based buffer overflow was found in __nss_hostname_digits_dots() function, which is used by the gethostbyname() and gethostbyname2() function calls. A remote attacker able to make an application call to either of these functions could use this flaw to execute arbitrary code with the permissions of the user running the program. The vulnerability is easy to trigger as gethostbyname() can be called remotely for applications that do any kind of DNS resolving within the code. Qualys, who discovered the vulnerability (nicknamed "Ghost") during a code audit, wrote a mailing list entry with more details, including in-depth analysis and exploit vectors.

5 of 211 comments (clear)

  1. From TFA by Cola+Junkee · · Score: 5, Informative

    " - We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18). Unfortunately, it was not recognized as a security threat; as a result, most stable and long-term-support distributions were left exposed (and still are): Debian 7 (wheezy), Red Hat Enterprise Linux 6 & 7, CentOS 6 & 7, Ubuntu 12.04, for example. "

    So it's actually already been fixed. All that's needed here is for some distributions to push the fix out.

    --

    f u cn rd ths, u r prbbly a lsy spllr.

    1. Re:From TFA by XXeR · · Score: 4, Informative

      But .. but now it has a CVE number and everything - so it must be scary

      Written by somebody who clearly neither manages a large amount of hosts exposed to the Internet nor manages multiple environments in which there are some new hosts that are luckily patched along side other older hosts that have to run *slightly* older releases of distro's for one reason or another.

      This IS a big deal.

  2. Not all code is vulnerable - getaddrinfo() is fine by tlhIngan · · Score: 4, Informative

    The affected call is gethostbyname() and friends, which have been deprecated by the more protocol-transparent getaddrinfo()/getnameinfo() set of APIs. If you use IPv6, getaddrinfo() is the only way (gethostbyname() and friends are AF_INET (IPv4) functions only), but they're protocol transparent ways to do DNS lookups (they can return AF_INET, AF_INET6 and any other valid address supported by the system and DNS).

    Deep down, if you look closely, they mention that code using getaddrinfo() is not vulnerable to the bug.

    Shortly after learning about getaddrinfo() I stuck to using it - far easier to use than gethostbyname() and less messy in the end. The only complication is having to call freeaddrinfo() when you're done.

  3. Raspbian vulnerable by redelm · · Score: 5, Informative

    According to directions side-thread, glibc versions prior to 2.19 are vulnerable. Checking my machines, Slackware-current and Lubuntu-14.10 are fine. Only my poor tiny Raspberry Pis are vulnerable (2.13). But they run slowly enough I can watch the gethostbyname() lookups myself :)

  4. Re:Open source code is open for everyone by peppepz · · Score: 4, Informative
    In fact, the bug had already been audited and fixed, almost two years ago, when the security researchers found a way to exploit it. From TFA:

    We identified a number of factors that mitigate the impact of this bug. In particular, we discovered that it was fixed on May 21, 2013 (between the releases of glibc-2.17 and glibc-2.18)

    Current glibc release is 2.20. That's three relases without the bug already.

    Nothing to see here, move along.