tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesMultiple Vulnerabilities in GNU C Library Could Allow for Arbitrary Code Execution

Multiple Vulnerabilities in GNU C Library Could Allow for Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2016-033

DATE(S) ISSUED:

02/18/2016

OVERVIEW:

Multiple vulnerabilities has been discovered in the GNU C Library (glibc), which could allow for arbitrary code execution. This library is required in all modern distributions of Linux as it defines the system calls and other basic facilities used in the Linux kernel. Successful exploitation of this vulnerability could result in an attacker gaining the same privileges as the exploited application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts could lead to a denial of service condition for the affected application.

THREAT INTELLIGENCE:

A proof of concept has been publicly released. There are currently no reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

  • GNU C Library (glibc) versions 2.9 through 2.22 which may affect most Linux-based systems and applications compiled with glibc.

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
HIGH

TECHNICAL SUMMARY:

Multiple vulnerabilities in GNU C Library (glibc) could allow for arbitrary code execution
An arbitrary code execution vulnerability exits in the host name resolver ‘getaddrinfo’ function due to a stack-based buffer overflow (CVE-2015-7547).
A denial of service vulnerability exists in the ‘nss_files database’ (CVE-2014-8121)
A buffer overflow vulnerability exits in the ‘_r variants’host name resolution functions which may result in arbitrary code execution (CVE-2015-1781).
An information leak vulnerability exits in ‘strftime’ (CVE-2015-8776).
A security bypass vulnerability exits in LD_POINTER_GUARD (CVE-2015-8777).
A denial of service vulnerability exists in the ‘hcreate’ and ‘hcreate_r functions’ due to a failed bounds check (CVE-2015-8778).
A denial of service vulnerability exists in ‘catopen’ due to several unbound stack allocations (CVE-2015-8779).
An arbitrary code execution vulnerability exits in ‘strxfrm’ due to an integer overflow.
A denial of service vulnerability exists in the ‘nmatch’ function when processessing NUL character of a malformed pattern.
A heap-based buffer overflow exits in the IO_wstr_overflow function.
A denial of service vulnerability exists in the ‘_nss_dns_gethostbyname4_r function’ which may result in a memory leak.
An attacker can exploit these vulnerabilities to execute arbitrary code in the context of the affected application. Successful exploitation of these vulnerabilities may result in an attacker gaining the same privileges as the exploited application. Depending on the privileges associated with the application, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts could lead to a denial of service condition for the affected application.

RECOMENDATIONS:

We recommend the following actions be taken:
Apply appropriate patches provided by the affected Linux distribution to the vulnerable systems immediately after appropriate testing.
Run all software as a non-privileged user to diminish the effects of a successful attack.
Contact device vendors to determine if equipment on your infrastructure is affected.
Review internal applications to determine if they were compiled with the vulnerable versions of glibc.
Temporary mitigation techniques include:
Dropping all UDP DNS packets greater than 512 bytes at the firewall.
A local resolver (that drops non-compliant responses).
Avoid dual A and AAAA queries
Prohibit use of options edns0 in /etc/resolv.conf
Limit all TCP replies to 1024 bytes.

REFERENCES: