glibc vulnerable to stack buffer overflow in DNS resolver

2016-02-17T00:00:00
ID VU:457759
Type cert
Reporter CERT
Modified 2016-03-14T14:25:00

Description

Overview

GNU glibc contains a buffer overflow vulnerability in the DNS resolver, which may allow a remote attacker to execute arbitrary code.

Description

CWE-121: Stack-based Buffer Overflow - CVE-2015-7547

According to a Google security blog post:

"The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack."

According to glibc developers, the vulnerable code was initially added in May 2008 as part of the development for glibc 2.9. All versions from 2.9 (originally released November 2008) to 2.22 appear to be affected.

More details and analysis are available in the patch announcement from glibc developers.


Impact

The getaddrinfo() function allows a buffer overflow condition in which arbitrary code may be executed. The impact may vary depending on if the use case is local or remote.


Solution

Apply an update

A patch for glibc is available. Affected users should apply the patch as soon as possible. The patch will also be included as part of the upcoming glibc 2.23 release.

The Vendor Status information below provides more information on updates.


Vendor Information

Some embedded operating systems or older, no longer supported versions of linux distributions may contain an older version of glibc that is vulnerable. Please check with your vendor to find out if you need to upgrade to a newer operating system in order to address this issue.


457759

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Android Open Source Project Affected

Notified: February 17, 2016 Updated: February 23, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Arista Networks, Inc. __ Affected

Notified: February 17, 2016 Updated: February 17, 2016

Statement Date: February 17, 2016

Status

Affected

Vendor Statement

"Arista Networks is investigating the applicability of VU#457759 to our products. More information will be available as the investigation proceeds."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

  • <https://www.arista.com/en/support/advisories-notices/security-advisories/1255-security-advisory-17>

Blue Coat Systems __ Affected

Notified: February 17, 2016 Updated: February 26, 2016

Statement Date: February 26, 2016

Status

Affected

Vendor Statement

"Blue Coat products using an affected version of the GNU C Library (glibc) are susceptible to a remote execution attack. A remote attacker can send a crafted DNS response to the glibc DNS resolver and cause the resolver to crash or execute arbitrary code."

Vendor Information

Fixes for the vulnerable products are pending. Please see the advisory below.

Vendor References

  • <https://bto.bluecoat.com/security-advisory/sa114>

CentOS __ Affected

Notified: February 17, 2016 Updated: March 14, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

A patched version of glibc is available for CentOS. The forum discussion at the URL below provides further information.

Vendor References

  • <https://www.centos.org/forums/viewtopic.php?t=56467>

Cisco __ Affected

Notified: February 17, 2016 Updated: February 18, 2016

Statement Date: February 18, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Cisco has provided a security advisory which contains details of which products are affected at the URL below:

Vendor References

  • <http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160218-glibc>

Debian GNU/Linux __ Affected

Notified: February 17, 2016 Updated: February 17, 2016

Statement Date: February 17, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Debian has released glibc updates containing the patches. Please see the announcements below:

Vendor References

  • <https://lists.debian.org/debian-security-announce/2016/msg00050.html>
  • <https://lists.debian.org/debian-security-announce/2016/msg00051.html>
  • <https://lists.debian.org/debian-lts-announce/2016/02/msg00009.html>

GNU glibc __ Affected

Notified: February 17, 2016 Updated: February 17, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

A detailed analysis and patch for glibc are available at the URL below.

Vendor References

  • <https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html>

Gentoo Linux __ Affected

Notified: February 17, 2016 Updated: February 17, 2016

Statement Date: February 17, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

glibc has been updated with the patch on Gentoo. Please see the Gentoo security advisory at the URL below.

Addendum

&lt;https://security.gentoo.org/glsa/201602-02&gt;

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc. __ Affected

Notified: February 17, 2016 Updated: February 17, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

glibc has been updated with the patch. Please see the Red Hat security advisory at the URL below.

Vendor References

  • <https://access.redhat.com/security/cve/CVE-2015-7547>

Ubuntu __ Affected

Notified: February 17, 2016 Updated: February 17, 2016

Statement Date: February 17, 2016

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

Ubuntu has released a patched version of glibc. Please see the security advisory at the URL below:

Vendor References

  • <http://www.ubuntu.com/usn/usn-2900-1/>

EfficientIP __ Not Affected

Updated: February 18, 2016

Statement Date: February 18, 2016

Status

Not Affected

Vendor Statement

"No version of our software is affected by VU#457759 (glibc vulnerable to stack buffer overflow in DNS resolver)"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux __ Not Affected

Notified: February 17, 2016 Updated: February 22, 2016

Statement Date: February 20, 2016

Status

Not Affected

Vendor Statement

"Openwall GNU/*/Linux is not affected. We use a fork of a version of glibc predating the introduction of this vulnerability.

We have previously patched the somewhat related GHOST vulnerability."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

PC-BSD __ Not Affected

Notified: February 17, 2016 Updated: February 17, 2016

Statement Date: February 17, 2016

Status

Not Affected

Vendor Statement

PC-BSD is based upon FreeBSD, and as such does not use glibc by default for any native *BSD applications. As such, it is not vulnerable to CVE-2015-7547.

PC-BSD does allow running Linux applications through emulation, in which case users should ensure their packages / VM's are updated in accordance with upstream methods.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

TCPWave __ Not Affected

Updated: February 18, 2016

Statement Date: February 18, 2016

Status

Not Affected

Vendor Statement

"The TCPWave DNS Appliances and TCPWave Sharkcage Appliances do not use a vulnerable version of glibc in the current production releases. A newer version that is scheduled for a summer release has been found vulnerable and has been patches. When the customers upgrade the existing appliances to a newer version, they will not be impacted by this vulnerability."

Vendor Information

TCPWave has provided a security advisory at the URL below:

Vendor References

  • <http://www.tcpwave.com/security-advisory-vu457759/>

ACCESS Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

AT&T Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Alcatel-Lucent Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Apple Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Arch Linux Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Aruba Networks Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Avaya, Inc. Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Barracuda Networks Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Belkin, Inc. Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Brocade Communication Systems Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CA Technologies Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Check Point Software Technologies Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Contiki OS Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

CoreOS Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

D-Link Systems, Inc. Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DesktopBSD Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

DragonFly BSD Project Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

EMC Corporation Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Enterasys Networks Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Ericsson Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

European Registry for Internet Domains Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Extreme Networks Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

F5 Networks, Inc. Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fedora Project Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Force10 Networks Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Fortinet, Inc. __ Unknown

Notified: February 17, 2016 Updated: February 29, 2016

Statement Date: February 29, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The following products are confirmed to be not affected:

  * FortiOS
  * FortiSwitch
  * FortiAnalyzer

Other products are in the course of being investigated. Please see the URL below for more information and updates.

Vendor References

  • <http://www.fortiguard.com/advisory/glibc-getaddrinfo-stack-overflow>

Foundry Brocade Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

FreeBSD Project Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

GNU adns Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Google Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hardened BSD Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hewlett Packard Enterprise Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Hitachi Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Huawei Technologies Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM Corporation Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

IBM eServer Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Infoblox Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Intel Corporation Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Internet Systems Consortium Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Internet Systems Consortium - DHCP Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

JH Software Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Juniper Networks __ Unknown

Notified: February 17, 2016 Updated: February 22, 2016

Statement Date: February 19, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has provided the following list. A statement is available at the URL below.

The following products have been confirmed to be not vulnerable to the glibc issue reported as CVE-2015-7547:

  * ​​​​​Junos OS does not use glibc and is not affected by this issue.

Note: Linux VM-based platforms (e.g. vSRX, vMX, etc.) include glibc, but do not make use of DNS client libraries during normal operation.

  * ​​Junos Space

  * ScreenOS uses a different implementation of libc and is not affected by this issue.

  * QFabric Director

  * ​JUNOSe

  * CTP and CTPView

  * NSM server relies on underlying OS glibc library. Contact OS vendor

  * SBR Carrier running on RHEL relies on the glibc library shipped with the OS. Customers should contact the OS vendor to upgrade glibc.
  * SBR Carrier running on Solaris is not vulnerable as it does not use this library.

  * ​WX/WXC

  * Netscreen IDP

Other products are still under investigation.​

Vendor References

  • <http://forums.juniper.net/t5/Security-Incident-Response/glibc-getaddrinfo-stack-based-buffer-overflow-CVE-2015-7547/ba-p/288261>

Lynx Software Technologies Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

McAfee Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Microsoft Corporation Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NEC Corporation Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NLnet Labs Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

NetBSD Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nokia Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Nominum Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OmniTI Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OpenBSD Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

OpenDNS Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Oracle Corporation Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Peplink Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

PowerDNS Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Q1 Labs Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

QNX Software Systems Inc. Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SUSE Linux Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SafeNet Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Secure64 Software Corporation Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Slackware Linux Inc. Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

SmoothWall Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Snort Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sony Corporation Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Sourcefire Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Symantec Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

TippingPoint Technologies Inc. Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Turbolinux Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Unisys Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

VMware Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Wind River Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

Xilinx Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

ZyXEL Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

dnsmasq Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

gdnsd Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

m0n0wall Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

openSUSE project Unknown

Notified: February 17, 2016 Updated: February 17, 2016

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor References

View all 92 vendors View less vendors

CVSS Metrics

Group | Score | Vector
---|---|---
Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal | 8.1 | E:POC/RL:TF/RC:C
Environmental | 8.1 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • <https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html>
  • <https://sourceware.org/bugzilla/show_bug.cgi?id=18665>
  • <https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html>
  • <https://sourceware.org/glibc/wiki/Glibc%20Timeline>

Acknowledgements

This vulnerability was disclosed by Fermin J. Serna and Kevin Stadmeyer of Google and Florian Weimer and Carlos O𠆝onell of Red Hat. Google thanks: "Neel Mehta, Thomas Garnier, Gynvael Coldwind, Michael Schaller, Tom Payne, Michael Haro, Damian Menscher, Matt Brown, Yunhong Gu, Florian Weimer, Carlos O𠆝onell and the rest of the glibc team for their help figuring out all details about this bug, exploitation, and patch development."

This document was written by Garret Wassermann.

Other Information

CVE IDs: | CVE-2015-7547
---|---
Date Public: | 2016-02-16
Date First Published: | 2016-02-17
Date Last Updated: | 2016-03-14 14:25 UTC
Document Revision: | 52