On February 16, 2016 details on a vulnerability in glibc were released (CVE-2015-7547). The vulnerability is remotely exploitable and affects a lot of systems.
More info will be added later when more information is available.
We started emergency patch procedures for our environments and managed customer environments.
- Classification: Critical. Remote exploitation possible.
- Impact: Wide impact, all services that use glibc and perform dns resolving are vulnerable.
The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.
Further analysis and testing
The PoC (Proof of Concept) code triggered the vulnerability when directly connecting. When we tested with the available dns resolver configurations in our network it failed. Both PowerDNS Recursor and BIND9 sanitized the request in such a way the PoC did not trigger the vulnerability.
The PowerDNS Recursor had edns disabled (one of the suggested ways to mitigate). BIND9 had edns enabled but neutralized the attack code.
This does not give any guarantees against more sophisticated exploits and it might be possible to bypass the sanitizing effects of using a trusted resolver when edns is enabled.
Disabling edns support in the resolvers and confirming that all servers use a trusted and properly configured set of nameservers will reduce the attack surface significantly.
- Post Google Security Team
- Debian Security tracker
- Post with additional details and mitigation possibilities
- Ubuntu CVE tracker
- Ubuntu Security Notice
- OARC's DNS Reply Size Test Server
- Ars Technica: Extremely severe bug leaves dizzying number of software and devices vulnerable
- Threatpost: Magnitude of glibc Vulnerability Coming to Light
- Dan Kaminsky: A Skeleton Key of Unknown Strength
- 16 feb 23:00 added update on further analysis and testing
- 17 feb 01:00 OSSO DNS resolver adjusted to 512K requests
- 17 feb 03:00 OSSO core and WBP2+ environments patched and updated
- 18, 20 feb: Updated links section.