Critical bug in glibc affecting millions of Linux applications

It has been reported that there is a critical bug in glibc. The bug discovered in glibc has been present since 2008. A huge amount of Linux software hijacked by miscreants from the other side of the internet.

The GNU C Library (glibc) is an essential component of Linux distributions. The researchers at Google and Red Hat were able to determine the flaw in glibc’s DNS resolver. The DNS resolver to translate human-readable domain names, such as www.secpod.com into a network IP address. A vulnerability management tool can detect this bug.

The glibc DNS client-side resolver is vulnerable to a stack-based buffer overflow when the call to function getaddrinfo(). This function is vulnerable and softwares using this exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack. By using auto patching, this bug can be remediated.

The glibc allocates 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query. Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer allocated from the heap and all the information (buffer pointer, new buffer size and response size).

Under certain conditions, a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer allocated. This behavior leads to the stack buffer overflow.

The buffer overflow exploited when shoveling coals to ssh, sudo, and curl. The code that causes the vulnerability introduced in May 2008 as part of glibc 2.9.

The critical bug in glibc can be exploited when a device or app makes queries to a malicious DNS server or clicks on a link to a malicious DNS server, which returns too much information to a lookup request and floods the program’s memory with code.

This code then compromises the vulnerable device and tries to take control over the whole system. It is possible to inject the domain name into server log files, which when resolved will trigger remote code execution. However, it requires bypassing the security mitigation existing on the system, such as ASLR, and non-executable stack protection.

Affected versions: All versions of glibc after 2.9 are vulnerable.

SecPod Saner detects this vulnerability and automatically fixes it by applying security updates. Download Saner now and keep your systems updated and secure.