Vulnerability in glibc could lead to Remote Code Execution (CVE-2015-7547)

Forcepoint Security Labs™ are aware of a bug in the GNU C Library (glibc) that could lead to a stack-based buffer overflow.  The bug, first reported in July 2015, has now been shown to lead to Remote Code Execution (RCE).  The GNU C Library (glibc) is a core component of GNU systems and those with the Linux kernel.

The bug has been assigned CVE-2015-7547.

Overview and Timeline

• The vulnerable code was introduced just under 8 years ago in glibc 2.9.
• A bug was reported in July 2015 indicating an issue in the code behavior.
• Researchers from Google and Redhat simultaneously investigated the original bug report and discovered the RCE possibility.
• The buffer overflow occurs in the function send_dg (UDP) and send_vc (TCP) for the NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC family and, in some cases, also with AF_INET6 before the fix in commit 8479f23a (only use gethostbyname4_r if PF_UNSPEC).  The use of AF_UNSPEC triggers the low-level resolver code to send out two parallel queries for A and AAAA.
• A mismanagement of the buffers used for those queries could result in the response writing beyond the allocated buffer created by __res_nquery.
• Systems that use glibc could therefore be affected. Such systems include DNS Servers.
• The last time a RCE issue in glibc was brought to the public's attention was with the GHOST vulnerability of January 2015.

How Is It Exploited?

While this is not an attack on DNS servers directly, it is a vulnerability in glibc which is used extensively, including DNS servers such as BIND.  An attacker could therfore host a website that triggers the vulnerability if the DNS Server is asked to resolve to that hostname.

Risk and Complexity

Whilst inducing a segfault is considered relatively straightforward it is thought that a fully functioning Remote Code Execution attack is much harder to execute, although it is possible.

Given that an attacker could host a malicious domain which, when resolved by the DNS Server, could trigger a segmentation fault (and thus crash) on the DNS Server, it would be wise to consider that malware authors will be looking at this bug in more detail with a view to building a fully functioning Proof Of Concept.

Are You Vulnerable?

Google researchers have released a non-weaponized Proof Of Concept script which will allow you to check if you are vulnerable or if any mitigations were succesful.  That script is here and is provided "as is" by Google: https://github.com/fjserna/CVE-2015-7547

If you are running glibc 2.9 or above (or that instance is being used by your software vendor) you should consider upgrading to a later version or applying a vendor patch (see the Mitigation Advice below).  The latest version of glibc is currently 2.22 released on 14th August 2015, but that is likely to change soon.

To check which version of glibc you have, running a simple command on the operating system will help.  For example, on any Ubuntu system, typing <sudo apt show libc6> will print the details about glibc on the system.  As in this example which shows the system to be vulnerable, assuming no mitigations applied:

Mitigation Advice

A patch has been made available: https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html

Multiple mitigations are provided on the above thread, including ones that do not fully work - it is worth knowing about those too.

Vendors are currently building and releasing their own patches and you should consider applying those as soon as they become available.

Forcepoint Security Labs are continuing to investigate this bug and any implications.