Yesterday, a patch was posted to libc-alpha and committed to our master tree (as e9db92d) to fix a serious vulnerability in glibc. It was discovered that bug 18665 could lead to a stack-based buffer overflow, potentially resulting in remote code execution.
Google managed to exploit this vulnerability and released some details (but not the full exploit) in their Security Blog. A full explanation of CVE-2015-7547, including glibc internals specifics, is available at Carlos O’Donell’s post to libc-alpha.
You should patch your glibc as soon as possible. This affects all glibc versions since 2.9 (May 2008).
- Update (2015-02-22): patch for CVE-2015-7547 is already included in the recent glibc-2.23 release and it was backported to release branches 2.21 and 2.22.
While you don’t do this, Carlos O’Donell offers some mitigation solutions in his post to libc-alpha:
- Mitigating factors for UDP include:
- A firewall that drops UDP DNS packets > 512 bytes.
- A local resolver (that drops non-compliant responses).
- Avoid dual A and AAAA queries (avoids buffer management error) e.g.
Do not use AF_UNSPEC.
- No use of `options edns0` in /etc/resolv.conf since EDNS0 allows
responses larger than 512 bytes and can lead to valid DNS responses
that overflow.
- No use of `RES_USE_EDNS0` or `RES_USE_DNSSEC` since they can both
lead to valid large EDNS0-based DNS responses that can overflow.
- Mitigating factors for TCP include:
- Limit all replies to 1024 bytes.
And also, what does NOT work:
- Mitigations that don't work:
- Setting `options single-request` does not change buffer management
and does not prevent the exploit.
- Setting `options single-request-reopen` does not change buffer
management and does not prevent the exploit.
- Disabling IPv6 does not disable AAAA queries. The use of AF_UNSPEC
unconditionally enables the dual query.
- The use of `sysctl -w net.ipv6.conf.all.disable_ipv6=1` will not
protect your system from the exploit.
- Blocking IPv6 at a local or intermediate resolver does not work to
prevent the exploit. The exploit payload can be delivered in A or
AAAA results, it is the parallel query that triggers the buffer
management flaw.
If you have any questions or comments, please let me know.