CERTVU:457759glibc vulnerable to stack buffer overflow in DNS resolver
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%
Overview
GNU glibc contains a buffer overflow vulnerability in the DNS resolver, which may allow a remote attacker to execute arbitrary code.
Description
CWE-121**: Stack-based Buffer Overflow -**CVE-2015-7547
According to a Google security blog post:
“The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.”
According to glibc developers, the vulnerable code was initially added in May 2008 as part of the development for glibc 2.9. All versions from 2.9 (originally released November 2008) to 2.22 appear to be affected.
More details and analysis are available in the patch announcement from glibc developers.
Impact
The getaddrinfo() function allows a buffer overflow condition in which arbitrary code may be executed. The impact may vary depending on if the use case is local or remote.
Solution
Apply an update
A patch for glibc is available. Affected users should apply the patch as soon as possible. The patch will also be included as part of the upcoming glibc 2.23 release.
The Vendor Status information below provides more information on updates.
Vendor Information
Some embedded operating systems or older, no longer supported versions of linux distributions may contain an older version of glibc that is vulnerable. Please check with your vendor to find out if you need to upgrade to a newer operating system in order to address this issue.
457759
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Android Open Source Project Affected
Notified: February 17, 2016 Updated: February 23, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Arista Networks, Inc. __ Affected
Notified: February 17, 2016 Updated: February 17, 2016
Statement Date: February 17, 2016
Status
Affected
Vendor Statement
“Arista Networks is investigating the applicability of VU#457759 to our products. More information will be available as the investigation proceeds.”
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Vendor References
Blue Coat Systems __ Affected
Notified: February 17, 2016 Updated: February 26, 2016
Statement Date: February 26, 2016
Status
Affected
Vendor Statement
“Blue Coat products using an affected version of the GNU C Library (glibc) are susceptible to a remote execution attack. A remote attacker can send a crafted DNS response to the glibc DNS resolver and cause the resolver to crash or execute arbitrary code.”
Vendor Information
Fixes for the vulnerable products are pending. Please see the advisory below.
Vendor References
CentOS __ Affected
Notified: February 17, 2016 Updated: March 14, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
A patched version of glibc is available for CentOS. The forum discussion at the URL below provides further information.
Vendor References
Cisco __ Affected
Notified: February 17, 2016 Updated: February 18, 2016
Statement Date: February 18, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Cisco has provided a security advisory which contains details of which products are affected at the URL below:
Vendor References
Debian GNU/Linux __ Affected
Notified: February 17, 2016 Updated: February 17, 2016
Statement Date: February 17, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Debian has released glibc updates containing the patches. Please see the announcements below:
Vendor References
- <https://lists.debian.org/debian-security-announce/2016/msg00050.html>
- <https://lists.debian.org/debian-security-announce/2016/msg00051.html>
- <https://lists.debian.org/debian-lts-announce/2016/02/msg00009.html>
GNU glibc __ Affected
Notified: February 17, 2016 Updated: February 17, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
A detailed analysis and patch for glibc are available at the URL below.
Vendor References
Gentoo Linux __ Affected
Notified: February 17, 2016 Updated: February 17, 2016
Statement Date: February 17, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
glibc has been updated with the patch on Gentoo. Please see the Gentoo security advisory at the URL below.
Addendum
<https://security.gentoo.org/glsa/201602-02>
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23457759 Feedback>).
Red Hat, Inc. __ Affected
Notified: February 17, 2016 Updated: February 17, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
glibc has been updated with the patch. Please see the Red Hat security advisory at the URL below.
Vendor References
Ubuntu __ Affected
Notified: February 17, 2016 Updated: February 17, 2016
Statement Date: February 17, 2016
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
Ubuntu has released a patched version of glibc. Please see the security advisory at the URL below:
Vendor References
EfficientIP __ Not Affected
Updated: February 18, 2016
Statement Date: February 18, 2016
Status
Not Affected
Vendor Statement
“No version of our software is affected by VU#457759 (glibc vulnerable to stack buffer overflow in DNS resolver)”
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
Openwall GNU/*/Linux __ Not Affected
Notified: February 17, 2016 Updated: February 22, 2016
Statement Date: February 20, 2016
Status
Not Affected
Vendor Statement
"Openwall GNU/*/Linux is not affected. We use a fork of a version of glibc predating the introduction of this vulnerability.
We have previously patched the somewhat related GHOST vulnerability."
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
PC-BSD __ Not Affected
Notified: February 17, 2016 Updated: February 17, 2016
Statement Date: February 17, 2016
Status
Not Affected
Vendor Statement
PC-BSD is based upon FreeBSD, and as such does not use glibc by default for any native *BSD applications. As such, it is not vulnerable to CVE-2015-7547.
PC-BSD does allow running Linux applications through emulation, in which case users should ensure their packages / VM’s are updated in accordance with upstream methods.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
TCPWave __ Not Affected
Updated: February 18, 2016
Statement Date: February 18, 2016
Status
Not Affected
Vendor Statement
“The TCPWave DNS Appliances and TCPWave Sharkcage Appliances do not use a vulnerable version of glibc in the current production releases. A newer version that is scheduled for a summer release has been found vulnerable and has been patches. When the customers upgrade the existing appliances to a newer version, they will not be impacted by this vulnerability.”
Vendor Information
TCPWave has provided a security advisory at the URL below:
Vendor References
ACCESS Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
AT&T Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Alcatel-Lucent Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Apple Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Arch Linux Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Aruba Networks Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Avaya, Inc. Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Barracuda Networks Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Belkin, Inc. Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Brocade Communication Systems Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CA Technologies Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Check Point Software Technologies Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Contiki OS Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
CoreOS Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
D-Link Systems, Inc. Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
DesktopBSD Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
DragonFly BSD Project Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
EMC Corporation Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Enterasys Networks Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Ericsson Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
European Registry for Internet Domains Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Extreme Networks Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
F5 Networks, Inc. Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Fedora Project Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Force10 Networks Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Fortinet, Inc. __ Unknown
Notified: February 17, 2016 Updated: February 29, 2016
Statement Date: February 29, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The following products are confirmed to be not affected:
* FortiOS
* FortiSwitch
* FortiAnalyzer
Other products are in the course of being investigated. Please see the URL below for more information and updates.
Vendor References
Foundry Brocade Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
FreeBSD Project Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
GNU adns Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Google Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hardened BSD Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hewlett Packard Enterprise Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Hitachi Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Huawei Technologies Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
IBM Corporation Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
IBM eServer Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Infoblox Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Intel Corporation Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Internet Systems Consortium Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Internet Systems Consortium - DHCP Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
JH Software Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Juniper Networks __ Unknown
Notified: February 17, 2016 Updated: February 22, 2016
Statement Date: February 19, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has provided the following list. A statement is available at the URL below.
The following products have been confirmed to be not vulnerable to the glibc issue reported as CVE-2015-7547:
* Junos OS does not use glibc and is not affected by this issue.
Note: Linux VM-based platforms (e.g. vSRX, vMX, etc.) include glibc, but do not make use of DNS client libraries during normal operation.
* Junos Space
* ScreenOS uses a different implementation of libc and is not affected by this issue.
* QFabric Director
* JUNOSe
* CTP and CTPView
* NSM server relies on underlying OS glibc library. Contact OS vendor
* SBR Carrier running on RHEL relies on the glibc library shipped with the OS. Customers should contact the OS vendor to upgrade glibc.
* SBR Carrier running on Solaris is not vulnerable as it does not use this library.
* WX/WXC
* Netscreen IDP
Other products are still under investigation.
Vendor References
Lynx Software Technologies Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
McAfee Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Microsoft Corporation Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NEC Corporation Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NLnet Labs Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
NetBSD Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Nokia Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Nominum Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OmniTI Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OpenBSD Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
OpenDNS Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Oracle Corporation Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Peplink Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
PowerDNS Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Q1 Labs Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
QNX Software Systems Inc. Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SUSE Linux Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SafeNet Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Secure64 Software Corporation Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Slackware Linux Inc. Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
SmoothWall Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Snort Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Sony Corporation Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Sourcefire Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Symantec Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
TippingPoint Technologies Inc. Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Turbolinux Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Unisys Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
VMware Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Wind River Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
Xilinx Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
ZyXEL Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
dnsmasq Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
gdnsd Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
m0n0wall Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
openSUSE project Unknown
Notified: February 17, 2016 Updated: February 17, 2016
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor References
View all 92 vendors __View less vendors __
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 10 | AV:N/AC:L/Au:N/C:C/I:C/A:C |
| Temporal | 8.1 | E:POC/RL:TF/RC:C |
| Environmental | 8.1 | CDP:ND/TD:H/CR:ND/IR:ND/AR:ND |
References
- <https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html>
- <https://sourceware.org/bugzilla/show_bug.cgi?id=18665>
- <https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html>
- <https://sourceware.org/glibc/wiki/Glibc Timeline>
Acknowledgements
This vulnerability was disclosed by Fermin J. Serna and Kevin Stadmeyer of Google and Florian Weimer and Carlos O𠆝onell of Red Hat. Google thanks: “Neel Mehta, Thomas Garnier, Gynvael Coldwind, Michael Schaller, Tom Payne, Michael Haro, Damian Menscher, Matt Brown, Yunhong Gu, Florian Weimer, Carlos O𠆝onell and the rest of the glibc team for their help figuring out all details about this bug, exploitation, and patch development.”
This document was written by Garret Wassermann.
Other Information
| CVE IDs: | CVE-2015-7547 |
|---|---|
| Date Public: | 2016-02-16 Date First Published: |
Related
8.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.974 High
EPSS
Percentile
99.9%