In-brief: Researchers at Google are warning about a previously undetected flaw in a widely used open source library could be exploited by attacks using overly long web domain names.
Researchers at Google are warning about a previously undetected flaw in a widely used open source library could be exploited and used to run malicious code on affected systems.
The researchers, Fermin Serna and Kevin Stadmeyer, both of Google, wrote on the company’s security blog Tuesday that the flaw in a component known as the “glibc DNS client side resolver” makes it vulnerable to a kind of attack called a “stack-based buffer overflow” that could be triggered by sending vulnerable systems overly-long domain names crafted by attackers to exploit the flaw or with malicious DNS servers. The researchers were able to develop a working exploit for the attack that could place malicious code on vulnerable systems under some conditions.
According to the post, researchers at Google discovered the issue while researching mysterious crashes in an SSH (secure shell) client reported by a Google engineer. Their investigation identified the GNU C Library (or “glibc”) as the source of the crashes, not the SSH client software. According to their report, the flaw is triggered when the glibc library calls a function, getaddrinfo().
Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack, the researchers wrote. The vulnerability was introduced with the 2.9 update of glibc, which was released in November, 2008. Any versions of the glibc library since 2.9 are vulnerable, the researchers said.
The issue was independently discovered in July 2015 and was also being investigated by the firm Red Hat. The flaw has been assigned the identifier CVE-2015-7547. It works by exploiting a flaw in code that allocates buffer space when especially long DNS queries (longer than 2048 bytes) are received, resulting in data being written beyond the limits of the buffer set up to handle responses.
To exploit the flaw, an attacker would need to prompt a target system to attempt a DNS resolution to a domain controlled by the attacker. The domain would respond with a very large DNS packet (2048 bytes), filling the buffer on the target system. The buggy code would then create a new, larger buffer which can then be filled with a malicious payload and executed.
While the researchers did create a proof of concept to test whether systems are vulnerable as well as exploit code, which they said they are not releasing to the public.
The researchers suggested a number of mitigations for the flaw. Firewalls can be configured to simply drop UDP DNS packets larger than 512 bytes. A local DNS resolver can be used to drop non-compliant DNS responses or TCP replies can be limited to 1024 bytes. Tools like DNSMasq can be used to limit the size of DNS queries. Organizations also should make sure that DNS queries are sent only to DNS servers which limit the response size for UDP responses with the truncation bit set.
The impact of the flaw is potentially huge. Glibc is a common, core component of a dizzying number of systems, including those using the Linux kernel on x86 hardware and other architectures.
In that way, the flaw is similar to the Heartbleed vulnerability in OpenSSL. As in that case, the glibc open source software is widely used and relied on, but not as strenuously managed as its widespread adoption might suggest.