Linux Tutorial

Critical Linux vulnerability CVE-2015-7547 in GNU C Library (glibc)

CVE-2015-7547 is a critical vulnerability in GNU C Library (glibc) thst has been reported by the Google Security Team and Red Hat.

Description of the vulnerability from Red Hat:
A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libr esolv to crash or, potentially, execute code with the permissions of the user running the library.

NOTE: this issue is only exposed when libresolv is called from the nss_dns NSS service module. (CVE-2015-7547)

It was discovered that the calloc implementation in glibc could return memory areas which contain non-zero bytes. This could result in unexpected application behavior such as hangs or crashes. (CVE-2015-5229)

Impact:
This flaw could be exploited in a variety of ways, basically any services/processes doing DNS requests could be a potential target and lead to remote code execution or full system control.

Impacted Linux distributions:

• Red Hat Enterprise Linux 6 and CentOS 6: RHSA-2016:0175-1
• Red Hat Enterprise Linux 7 and CentOS 7: RHSA-2016:0176-1
• Debian 6 (Squeeze), 7 (Wheezy), 8 (Jessy): CVE-2015-7547
• Ubuntu 12.04 LTS, 14.04 LTS, 15.10: USN-2900-1

Resolution:

1. Verify the current glibc version on CentOS and Red Hat Enterprise Linux: Run:

yum list glibc

The version will be listed under the “Installed Packages” section on Ubuntu and Debian:Run:

ldd --version

The first line in the output will mention the version. Here is the list of patched versions:

• Red Hat Enterprise Linux 6 and CentOS 6: glibc-2.12-1.166.el6_7.7
• Red Hat Enterprise Linux 7 and CentOS 7: glibc-2.17-106.el7_2.4
• Debian 6 (squeeze): eglibc 2.11.3-4+deb6u11
• Debian 7 (wheezy): eglibc 2.13-38+deb7u10
• Debian 8 (jessie): glibc 2.19-18+deb8u3
• Ubuntu 12.04 LTS: libc6 2.15-0ubuntu10.13
• Ubuntu 14.04 LTS: libc6 2.19-0ubuntu6.7
• Ubuntu 15.10: libc6 2.21-0ubuntu4.1

2. Updating glibc and rebootingOn CentOS and Red Hat Enterprise Linux:

Run:

yum clean all
yum update glibc
reboot

On Ubuntu (12.04 LTS, 14.04 LTS and 15.10):

Run:

sudo apt-get update
sudo apt-get install libc6
reboot

On Debian 6 (squeeze) and Debian 7 (wheezy):

Run:

sudo apt-get update
sudo apt-get install libc6
reboot

On Debian 8 (jessie):

Run:

sudo apt-get update
sudo apt-get install libc6
reboot

References:

• https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
• https://access.redhat.com/articles/2161461