search menu icon-carat-right cmu-wordmark

CERT Coordination Center

glibc vulnerable to stack buffer overflow in DNS resolver

Vulnerability Note VU#457759

Original Release Date: 2016-02-17 | Last Revised: 2016-03-14

Overview

GNU glibc contains a buffer overflow vulnerability in the DNS resolver, which may allow a remote attacker to execute arbitrary code.

Description

CWE-121: Stack-based Buffer Overflow - CVE-2015-7547

According to a Google security blog post:

"The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack."

According to glibc developers, the vulnerable code was initially added in May 2008 as part of the development for glibc 2.9. All versions from 2.9 (originally released November 2008) to 2.22 appear to be affected.

More details and analysis are available in the patch announcement from glibc developers.

Impact

The getaddrinfo() function allows a buffer overflow condition in which arbitrary code may be executed. The impact may vary depending on if the use case is local or remote.

Solution

Apply an update

A patch for glibc is available. Affected users should apply the patch as soon as possible. The patch will also be included as part of the upcoming glibc 2.23 release.

The Vendor Status information below provides more information on updates.

Vendor Information

Some embedded operating systems or older, no longer supported versions of linux distributions may contain an older version of glibc that is vulnerable. Please check with your vendor to find out if you need to upgrade to a newer operating system in order to address this issue.

457759
 
Affected   Unknown   Unaffected

Android Open Source Project

Notified:  February 17, 2016 Updated:  February 23, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Arista Networks, Inc.

Notified:  February 17, 2016 Updated:  February 17, 2016

Statement Date:   February 17, 2016

Status

  Affected

Vendor Statement

"Arista Networks is investigating the applicability of VU#457759 to our products. More information will be available as the investigation proceeds."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Vendor References

https://www.arista.com/en/support/advisories-notices/security-advisories/1255-security-advisory-17

Blue Coat Systems

Notified:  February 17, 2016 Updated:  February 26, 2016

Statement Date:   February 26, 2016

Status

  Affected

Vendor Statement

"Blue Coat products using an affected version of the GNU C Library (glibc) are susceptible to a remote execution attack. A remote attacker can send a crafted DNS response to the glibc DNS resolver and cause the resolver to crash or execute arbitrary code."

Vendor Information

Fixes for the vulnerable products are pending. Please see the advisory below.

Vendor References

https://bto.bluecoat.com/security-advisory/sa114

CentOS

Notified:  February 17, 2016 Updated:  March 14, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

A patched version of glibc is available for CentOS. The forum discussion at the URL below provides further information.

Vendor References

https://www.centos.org/forums/viewtopic.php?t=56467

Cisco

Notified:  February 17, 2016 Updated:  February 18, 2016

Statement Date:   February 18, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Cisco has provided a security advisory which contains details of which products are affected at the URL below:

Vendor References

http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20160218-glibc

Debian GNU/Linux

Notified:  February 17, 2016 Updated:  February 17, 2016

Statement Date:   February 17, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Debian has released glibc updates containing the patches. Please see the announcements below:

Vendor References

https://lists.debian.org/debian-security-announce/2016/msg00050.html https://lists.debian.org/debian-security-announce/2016/msg00051.html https://lists.debian.org/debian-lts-announce/2016/02/msg00009.html

GNU glibc

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

A detailed analysis and patch for glibc are available at the URL below.

Vendor References

https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html

Gentoo Linux

Notified:  February 17, 2016 Updated:  February 17, 2016

Statement Date:   February 17, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

glibc has been updated with the patch on Gentoo. Please see the Gentoo security advisory at the URL below.

Addendum

https://security.gentoo.org/glsa/201602-02

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc.

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

glibc has been updated with the patch. Please see the Red Hat security advisory at the URL below.

Vendor References

https://access.redhat.com/security/cve/CVE-2015-7547

Ubuntu

Notified:  February 17, 2016 Updated:  February 17, 2016

Statement Date:   February 17, 2016

Status

  Affected

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

Ubuntu has released a patched version of glibc. Please see the security advisory at the URL below:

Vendor References

http://www.ubuntu.com/usn/usn-2900-1/

EfficientIP

Updated:  February 18, 2016

Statement Date:   February 18, 2016

Status

  Not Affected

Vendor Statement

"No version of our software is affected by VU#457759 (glibc vulnerable to stack buffer overflow in DNS resolver)"

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  February 17, 2016 Updated:  February 22, 2016

Statement Date:   February 20, 2016

Status

  Not Affected

Vendor Statement

"Openwall GNU/*/Linux is not affected. We use a fork of a version of glibc predating the introduction of this vulnerability.

We have previously patched the somewhat related GHOST vulnerability."

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

PC-BSD

Notified:  February 17, 2016 Updated:  February 17, 2016

Statement Date:   February 17, 2016

Status

  Not Affected

Vendor Statement

PC-BSD is based upon FreeBSD, and as such does *not* use glibc by default for any native *BSD applications. As such, it is not vulnerable to CVE-2015-7547.

PC-BSD does allow running Linux applications through emulation, in which case users should ensure their packages / VM's are updated in accordance with upstream methods.

Vendor Information

We are not aware of further vendor information regarding this vulnerability.

TCPWave

Updated:  February 18, 2016

Statement Date:   February 18, 2016

Status

  Not Affected

Vendor Statement

"The TCPWave DNS Appliances and TCPWave Sharkcage Appliances do not use a vulnerable version of glibc in the current production releases. A newer version that is scheduled for a summer release has been found vulnerable and has been patches. When the customers upgrade the existing appliances to a newer version, they will not be impacted by this vulnerability."

Vendor Information

TCPWave has provided a security advisory at the URL below:

Vendor References

http://www.tcpwave.com/security-advisory-vu457759/

ACCESS

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

AT&T

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Alcatel-Lucent

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Apple

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Arch Linux

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Aruba Networks

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Avaya, Inc.

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Barracuda Networks

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Belkin, Inc.

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Brocade Communication Systems

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CA Technologies

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Check Point Software Technologies

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Contiki OS

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

CoreOS

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

D-Link Systems, Inc.

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

DesktopBSD

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

DragonFly BSD Project

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

EMC Corporation

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Enterasys Networks

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Ericsson

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

European Registry for Internet Domains

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Extreme Networks

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

F5 Networks, Inc.

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Fedora Project

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Force10 Networks

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Fortinet, Inc.

Notified:  February 17, 2016 Updated:  February 29, 2016

Statement Date:   February 29, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The following products are confirmed to be not affected:

      • FortiOS
      • FortiSwitch
      • FortiAnalyzer
Other products are in the course of being investigated. Please see the URL below for more information and updates.

Vendor References

http://www.fortiguard.com/advisory/glibc-getaddrinfo-stack-overflow

Foundry Brocade

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

FreeBSD Project

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

GNU adns

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Google

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hardened BSD

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hewlett Packard Enterprise

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Hitachi

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Huawei Technologies

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

IBM Corporation

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

IBM eServer

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Infoblox

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Intel Corporation

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Internet Systems Consortium

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Internet Systems Consortium - DHCP

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

JH Software

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Juniper Networks

Notified:  February 17, 2016 Updated:  February 22, 2016

Statement Date:   February 19, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has provided the following list. A statement is available at the URL below.

The following products have been confirmed to be not vulnerable to the glibc issue reported as CVE-2015-7547:

      • ​​​​​Junos OS does not use glibc and is not affected by this issue.
        Note: Linux VM-based platforms (e.g. vSRX, vMX, etc.) include glibc, but do not make use of DNS client libraries during normal operation.
      • ​​Junos Space
      • ScreenOS uses a different implementation of libc and is not affected by this issue.
      • QFabric Director
      • ​JUNOSe
      • CTP and CTPView
      • NSM server relies on underlying OS glibc library. Contact OS vendor
      • SBR Carrier running on RHEL relies on the glibc library shipped with the OS.  Customers should contact the OS vendor to upgrade glibc.
      • SBR Carrier running on Solaris is not vulnerable as it does not use this library.
      • ​WX/WXC
      • Netscreen IDP
Other products are still under investigation.​

Vendor References

http://forums.juniper.net/t5/Security-Incident-Response/glibc-getaddrinfo-stack-based-buffer-overflow-CVE-2015-7547/ba-p/288261

Lynx Software Technologies

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

McAfee

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Microsoft Corporation

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NEC Corporation

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NLnet Labs

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

NetBSD

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Nokia

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Nominum

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OmniTI

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OpenBSD

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

OpenDNS

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Oracle Corporation

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Peplink

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

PowerDNS

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Q1 Labs

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

QNX Software Systems Inc.

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SUSE Linux

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SafeNet

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Secure64 Software Corporation

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Slackware Linux Inc.

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

SmoothWall

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Snort

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Sony Corporation

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Sourcefire

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Symantec

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

TippingPoint Technologies Inc.

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Turbolinux

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Unisys

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

VMware

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Wind River

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Xilinx

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

ZyXEL

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

dnsmasq

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

gdnsd

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

m0n0wall

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

openSUSE project

Notified:  February 17, 2016 Updated:  February 17, 2016

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.


CVSS Metrics

Group Score Vector
Base 10.0 AV:N/AC:L/Au:N/C:C/I:C/A:C
Temporal 8.1 E:POC/RL:TF/RC:C
Environmental 8.1 CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

Credit

This vulnerability was disclosed by Fermin J. Serna and Kevin Stadmeyer of Google and Florian Weimer and Carlos O’Donell of Red Hat. Goog le thanks: " Neel Mehta, Thomas Garnier, Gynvael Coldwind, Michael Schaller, Tom Payne, Michael Haro, Damian Menscher, Matt Brown, Yunhong Gu, Florian Weimer, Carlos O’Donell and the rest of the glibc team for their help figuring out all details about this bug, exploitation, and patch development.

This document was written by Garret Wassermann.

Other Information

CVE IDs: CVE-2015-7547
Date Public: 2016-02-16
Date First Published: 2016-02-17
Date Last Updated: 2016-03-14 14:25 UTC
Document Revision: 51

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.