Not logged in » Login
Feb 18 2016

Is Your Linux Open to DNS Attacks?

Security researchers have identified a vulnerability in the GNU C Library (glibc) that could enable adversaries to hijack routers, servers and other hardware with the help of specially crafted DNS packages. The flaw, which has been submitted to the Common Vulnerabilities list under the moniker CVE-2015-7547, affects several major core functions present in standard Linux distributions, such as SSH, sudo, and curl.

The vulnerability was detected by research teams from Google and Red Hat, who were trying to find out the reason for recurring segmentation faults in SSH clients and other Linux components that regularly perform DNS lookups via the getaddrinfo() function. According to a blog post from Google experts Fermin Serna and Kevin Stadmeyer, the weakness is in the glibc DNS client side resolver, which will cause a stack-based buffer overflow when getaddrinfo() is used. Potential attackers could use fake domain names and fake DNS servers or pose as man-in-the-middle to set up traps for unsuspecting users and remotely execute malicious code, effectively taking control of a victim's computer, networking equipment, or embedded system.

More specifically, "the vulnerability relies on an oversized UDP or TCP response," Serna and Stadtmeyer explain, and continue: "glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query. Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated. Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow." The flaw can be found in glibc editions 2.9 through 2.22, i.e. all versions that were issued between November 2008 and August last year.

Both Google and Red Hat warn that the malfunction is critical, especially since it affects core functions you will find in virtually every major Linux distribution (and most smaller ones too) with the exception of Android. Exploitation is comparatively simple, but attackers first have to bypass active security functions on the victim's system, such as ASLR. Linux users can determine if they're affected by running a "non-weaponized" Proof of Concept code Serna and Stadtmeyer submitted to GitHub. Meanwhile, the glibc maintainers have issued a patch; security advisories and fixes are also available for Linux distros from Debian, Red Hat, and Ubuntu.

For more details and background info, please also see Dan Goodin's piece over at Ars Technica.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now