Critical Linux vulnerability CVE-2015-7547 in GNU C Library (glibc)

CVE-2015-7547 is a critical vulnerability in GNU C Library (glibc) thst has been reported by the Google Security Team and Red Hat. 

Description of the vulnerability from Red Hat

A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libr  esolv to crash or, potentially, execute code with the permissions of the user running the library.

NOTE: this issue is only exposed when libresolv is called from the nss_dns NSS service module. (CVE-2015-7547)

It was discovered that the calloc implementation in glibc could return memory areas which contain non-zero bytes. This could result in unexpected application behavior such as hangs or crashes. (CVE-2015-5229)                       

Impact:

This flaw could be exploited in a variety of ways, basically any services/processes doing DNS requests could be a potential target and lead to remote code execution or full system control. 

Impacted Linux distributions:  

  • Red Hat Enterprise Linux 6 and CentOS 6: RHSA-2016:0175-1
  • Red Hat Enterprise Linux 7 and CentOS 7: RHSA-2016:0176-1
  • Debian 6 (Squeeze), 7 (Wheezy), 8 (Jessy): CVE-2015-7547
  • Ubuntu 12.04 LTS, 14.04 LTS, 15.10: USN-2900-1 

 Resolution:

1. Verify the current glibc version on CentOS and Red Hat Enterprise Linux: 

Run:

yum list glibc

 The version will be listed under the "Installed Packages" section on Ubuntu and Debian:

 Run: 

ldd --version

 

The first line in the output will mention the version.  

Here is the list of patched versions:

  • Red Hat Enterprise Linux 6 and CentOS 6: glibc-2.12-1.166.el6_7.7
  • Red Hat Enterprise Linux 7 and CentOS 7: glibc-2.17-106.el7_2.4
  • Debian 6 (squeeze): eglibc 2.11.3-4+deb6u11
  • Debian 7 (wheezy): eglibc 2.13-38+deb7u10
  • Debian 8 (jessie): glibc 2.19-18+deb8u3
  • Ubuntu 12.04 LTS: libc6 2.15-0ubuntu10.13
  • Ubuntu 14.04 LTS: libc6 2.19-0ubuntu6.7
  • Ubuntu 15.10: libc6 2.21-0ubuntu4.1

 

2. Updating glibc and rebooting

On CentOS and Red Hat Enterprise Linux: 

Run: 

yum clean all

yum update glibc

reboot

  

On Ubuntu (12.04 LTS, 14.04 LTS and 15.10): 

Run: 

sudo apt-get update

sudo apt-get install libc6

reboot

  

On Debian 6 (squeeze) and Debian 7 (wheezy): 

Run: 

sudo apt-get update

sudo apt-get install libc6

reboot

 

On Debian 8 (jessie): 

Run: 

sudo apt-get update

sudo apt-get install libc6

reboot

 

Subscriptions to notifications about security updates for Red Hat, CentOS, Ubuntu and Debian can be found at the following URLs: 

 

References:

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.
Powered by Zendesk