Yesterday, a patch was posted to libc-alpha and committed to our master tree (as e9db92d) to fix a serious vulnerability in glibc. It was discovered that bug 18665 could lead to a stack-based buffer overflow, potentially resulting in remote code execution.
Google managed to exploit this vulnerability and released some details (but not the full exploit) in their Security Blog. A full explanation of CVE-2015-7547, including glibc internals specifics, is available at Carlos O’Donell’s post to libc-alpha.
You should patch your glibc as soon as possible. This affects all glibc versions since 2.9 (May 2008).
- Update (2015-02-22): patch for CVE-2015-7547 is already included in the recent glibc-2.23 release and it was backported to release branches 2.21 and 2.22.
While you don’t do this, Carlos O’Donell offers some mitigation solutions in his post to libc-alpha:
- Mitigating factors for UDP include: - A firewall that drops UDP DNS packets > 512 bytes. - A local resolver (that drops non-compliant responses). - Avoid dual A and AAAA queries (avoids buffer management error) e.g. Do not use AF_UNSPEC. - No use of `options edns0` in /etc/resolv.conf since EDNS0 allows responses larger than 512 bytes and can lead to valid DNS responses that overflow. - No use of `RES_USE_EDNS0` or `RES_USE_DNSSEC` since they can both lead to valid large EDNS0-based DNS responses that can overflow. - Mitigating factors for TCP include: - Limit all replies to 1024 bytes.
And also, what does NOT work:
- Mitigations that don't work: - Setting `options single-request` does not change buffer management and does not prevent the exploit. - Setting `options single-request-reopen` does not change buffer management and does not prevent the exploit. - Disabling IPv6 does not disable AAAA queries. The use of AF_UNSPEC unconditionally enables the dual query. - The use of `sysctl -w net.ipv6.conf.all.disable_ipv6=1` will not protect your system from the exploit. - Blocking IPv6 at a local or intermediate resolver does not work to prevent the exploit. The exploit payload can be delivered in A or AAAA results, it is the parallel query that triggers the buffer management flaw.
If you have any questions or comments, please let me know.