Vulnerability in DNS Affects Wide Range of Systems

This is a complex one.

Google announced on Tuesday their discovery of a serious vulnerability in the function ("getaddrinfo") used by the GNU C library ("glibc") on Unix/Linux systems to do DNS lookups. The bug had actually been reported by other researchers back in July of last year, but the potentially serious way in which it could be exploited was not known until now. Google states that exploiting the vulnerability is "not trivial," but that a successful exploitation could enable an attacker to gain complete control of a vulnerable system.

Given that the majority of servers on the Internet are Unix/Linux-based, as are modern Mac computers, Apple i-devices, and Android devices, a serious vulnerability in glibc affects a massive range of computer systems and mobile devices [update -- Apple iOS, Mac OS X, and Android all use different C libraries, not glibc, and are likely not affected]. Patches have started to be released by some vendors, but it may be a week or more (in some case a LOT more) before some systems have a patch.

The vulnerability can only be exploited by a longer-than-normal DNS response. Monitoring for such responses, or using an IPS to block them, could mitigate the vulnerability. Note that these longer responses, or EDNS responses, are required for DNSSEC secure DNS resolution to function. However, in the near term the loss of DNSSEC functionality may be a small sacrifice to avoid potential exploitation of this vulnerability.

On corporate networks, one commonly recommended practice is to configure all internal hosts to forward all DNS requests to a single external resolver, usually located in the network's DMZ. The use of this practice would greatly mitigate the potential impact of this issue for system on organizational networks, as they would not be getting DNS responses directly from external DNS servers.

For more details:
https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
https://isc.sans.edu/forums/diary/CVE20157547+Critical+Vulnerability+in+glibc+getaddrinfo/20737/
http://www.theregister.co.uk/2016/02/20/glibc_kaminsky_cve_2015_7547/
http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/
http://www.eweek.com/security/linux-systems-patched-for-critical-glibc-flaw.html
http://malwarejake.blogspot.com/2016/02/problems-with-glibc-getaddrinfo.html

Comments

Post a Comment

Popular posts from this blog

Weekly Infosec News Brief: 14-20 March

Image
Major Media Websites Caught up inNew Malicious Advertising Attacks Last week multiple major advertising networks, including Google's DoubleClick, AppNexus, Rubicon, and AOL were abused by attackers to serve up malicious advertisements on major media sites. These malicious advertisements were redirecting to the "Angler" exploit kit, which uses multiple means to attempt to compromise a browser and install malware. While such malicious ads are common on smaller websites, they are not unheard-of on major media sites. This outbreak, however, was unusually large and long-lived, lasting at least the better part of two days. Given how common malicious web ads are, some security experts are recommending the use of ad blocking technology in web browsers. http://www.computerworld.com/article/3044565/security/advertising-based-cyberattacks-hit-bbc-new-york-times-msn.html Malicious Macros in Word Documents Used to Install Malware with No Files Needed Everything old is new a
Read more

Weekly Infosec News Brief 20-26 July

Image
FBI Sees Massive Increase in Espionage, Including Industrial Espionage, Against the US The FBI on Thursday issued a press release discussing what they believe is an increasing threat of economic espionage against US companies. They estimate that such espionage may cost the US as much as "hundreds of billions" of dollars a year. This espionage is not just directed against large industrial companies, but any place where trade secrets and innovations might be found, including third-party organizations (e.g. business partners, vendors, consultants, lawyers, etc.) affiliated with targeted companies. A key take-away is that the threat is more widespread than most people think, and that few organizations are immune. https://www.fbi.gov/news/pressrel/press-releases/fbi-announces-economic-espionage-awareness-campaign http://www.cnn.com/2015/07/24/politics/fbi-economic-espionage/ Microsoft Releases Out-of-Cycle Patch for Critical Font Driver Bug A flaw uncovered in connecti
Read more

Weekly Infosec News Brief: 22-28 February

Image
Ransomware Observed to Jump from One Device to Another via the Cloud Researchers described last week an incident where they observed malicious "ransomware" propagating from one device to another via cloud-based file synchronization. When the ransomware encrypted files on one machine that synchronized files to a specific folder, it spread to other PCs that synchronized to that same folder. This type of phenomenon is simply another reason for organizations to serious consider limiting or eliminating the use of such file-synchronizing software within their networks. http://www.scmagazine.com/researchers-confirm-cases-of-ransomware-encryption-jumping-devices-via-cloud-apps/article/479572/ New OpenSSL Patches Soon to Come The OpenSSL project team announced last Thursday that they are working on patches to fix at least two "high" severity vulnerabilities in OpenSSL. This is the software that powers the cryptographic security layer of many web servers, browser
Read more