Critical Linux vulnerability CVE-2015-7547 in GNU C Library (glibc)

Posted:  May 14th, 2018

 

CVE-2015-7547 is a critical vulnerability in GNU C Library (glibc) thst has been reported by the Google Security Team and Red Hat.

 

Description of the vulnerability from Red Hat:

 

A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libr  esolv to crash or, potentially, execute code with the permissions of the user running the library.

 

NOTE: this issue is only exposed when libresolv is called from the nss_dns NSS service module. (CVE-2015-7547)

 

It was discovered that the calloc implementation in glibc could return memory areas which contain non-zero bytes. This could result in unexpected application behavior such as hangs or crashes. (CVE-2015-5229)

 

Impact:

 

This flaw could be exploited in a variety of ways, basically any services/processes doing DNS requests could be a potential target and lead to remote code execution or full system control.

 

Impacted Linux distributions:

 

    > Red Hat Enterprise Linux 6 and CentOS 6: RHSA-2016:0175-1

    > Red Hat Enterprise Linux 7 and CentOS 7: RHSA-2016:0176-1

    > Debian 6 (Squeeze), 7 (Wheezy), 8 (Jessy): CVE-2015-7547

    > Ubuntu 12.04 LTS, 14.04 LTS, 15.10: USN-2900-1

 

Resolution:

 

1. Verify the current glibc version on CentOS and Red Hat Enterprise Linux:

 

Run:

 

    yum list glibc

 

 The version will be listed under the "Installed Packages" section on Ubuntu and Debian:

 

 Run:

 

    ldd --version

 

 

The first line in the output will mention the version.

 

     > Red Hat Enterprise Linux 6 and CentOS 6: glibc-2.12-1.166.el6_7.7

     > Red Hat Enterprise Linux 7 and CentOS 7: glibc-2.17-106.el7_2.4

     > Debian 6 (squeeze): eglibc 2.11.3-4+deb6u11

     > Debian 7 (wheezy): eglibc 2.13-38+deb7u10

     > Debian 8 (jessie): glibc 2.19-18+deb8u3

     > Ubuntu 12.04 LTS: libc6 2.15-0ubuntu10.13

     > Ubuntu 14.04 LTS: libc6 2.19-0ubuntu6.7

     > Ubuntu 15.10: libc6 2.21-0ubuntu4.1

 

2. Updating glibc and rebooting

 

On CentOS and Red Hat Enterprise Linux:

 

Run:

 

yum clean all

 

yum update glibc

 

reboot

 

On Ubuntu (12.04 LTS, 14.04 LTS and 15.10):

 

Run:

 

sudo apt-get update

 

sudo apt-get install libc6

 

reboot

 

On Debian 6 (squeeze) and Debian 7 (wheezy):

 

Run:

 

sudo apt-get update

 

sudo apt-get install libc6

 

reboot

 

On Debian 8 (jessie):

 

Run:

 

sudo apt-get update

 

sudo apt-get install libc6

 

reboot

 

Subscriptions to notifications about security updates for Red Hat, CentOS, Ubuntu and Debian can be found at the following URLs:

 

Red Hat - RHSA-announce (http://www.redhat.com/mailman/listinfo/rhsa-announce)

CentOS - CentOS-announce (https://lists.centos.org/mailman/listinfo/centos-announce)

Ubuntu - ubuntu-security-announce (https://lists.ubuntu.com/mailman/listinfo/ubuntu-security-announce)

Debian - debian-security-announce (https://lists.debian.org/debian-security-announce/)

 

 

References:

 

https://googleonlinesecurity.blogspot.ca/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

https://access.redhat.com/articles/2161461