Glibc, also known as the GNU C Library, is carrying a critical vulnerability. Glibc is used as the C library in the GNU system and in GNU/Linux systems, as well as many other systems that tap Linux as the kernel.
The widespread use of glibc puts every Linux machine at risk of a remote code execution, which means a hacker can plant and run code on a machine from a remote computer. The bug has been patched.
During a debugging project, a Google engineer randomly discovered a segmentation fault every time he tried to connect to a specific host. When a program is trying to read or write an illegal memory location, a segmentation fault causes programs to crash, according to Indiana University.
“Our initial investigations showed that the issue affected all the versions of glibc since 2.9. You should definitely update if you are on an older version though,” Fermin Serna, staff security engineer and Kevin Stadmeyer, technical program manager at Google, wrote in a blog post. “If the vulnerability is detected, machine owners may wish to take steps to mitigate the risk of an attack.”
According to Google researchers, the glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the “getaddrinfo()” library function is used. Attackers can use domain names and DNS servers to exploit the hack, or launch man-in-the-middle attacks. A man-in the-middle attack is when an attacker secretly relays and sometimes alters communications between two people or parties who believe they are genuinely talking directly to one another.
However, although remote code execution is possible, it’s not especially easy. An attacker would have to find out a way to get around security mitigations the system contains, like ASLR. ASLR stands for address space layout randomization, which security firm Symantec defines as a prophylactic security technology aimed at reducing the effectiveness of exploit attempts.
“Google has found some mitigations that may help prevent exploitation if you are not able to immediately patch your instance of glibc. The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack,” the researchers wrote. “Our suggested mitigation is to limit the response (i.e., via DNSMasq or similar programs) sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers, which limit the response size for UDP responses with the truncation bit set.”
Seeing a Ghost
In July, glibc was the victim of what is now known as the Ghost bug. That vulnerability was caused by a buffer overflow in a system library that is used in many, if not most, Linux distributions. A buffer overflow condition happens when a program attempts to put more data in a buffer than it can hold or when a program attempts to put data in a memory area past a buffer, according to OWASP, an open source software security company.
Major Linux distributors rated the Ghost vulnerability critical. The flaw allowed remote attackers to take complete control of the compromised system without any prior knowledge of system credentials, according to Symantec.
“The first vulnerable glibc version (2.2) was released in November 2000,” Symantec said in a blog post last month. “Most stable and long-term support distributions were left exposed until now because the vulnerability was not recognized as a security threat.”
Image credit: Screenshot of GNU operating system via GNU.