Experts are warning that a major bug could possibly affect hundreds of thousands of devices, apps and services.
Engineers at Google reported on a flaw (CVE-2015-7547) in an open-source library of code that could open a path for exploiters to gain remote access to computers, routers and other equipment tethered into networks. The code is also used in programming languages, such as PHP and Python, and is embedded into processes involved in logging onto sites or using email.
The Google engineers detected that a stack-based buffer overflow was possible in the open source glibc DNS client-side resolver if a user is employing the getaddrinfo() library function.
While many are raising alarms, Craig Young, a cybersecurity researcher at Tripwire, doesn’t expect widespread exploitation. “Payloads needed for exploiting this for code execution are probably not going to be well-formed responses and will likely get dropped en route,” he said in a release.
The bug in glibc has been around since 2008, experts said, but it wasn’t until the Google team collaborated recently with Red Hat researchers working on the same bug that a patch was offered.
“Once the full extent of this vulnerability is determined, administrators will quickly move into triage mode – addressing the problems that are most obvious and most under public scrutiny,” Brendan Rizzo, technical director, EMEA, for HPE Security – Data Security, said in emailed comments to SCMagazine.com. “Attackers, on the other hand, generally avoid the ‘front door’ and will be shifting their focus to secondary attack vectors.”
Rizzo advised organizations “to shore up all possible attack vectors of this vulnerability,” saying that could only occur once they “have performed a thorough assessment to uncover everywhere they are using the vulnerable code in their applications.”
UPDATE: Writing on Monday on the Qualys blog, The Laws of Vulnerabilities, CTO Wolfgang Kandek pointed out that this bug is a critical vulnerability both on Linux servers and clients. He advised users to patch as quickly as possible. “Further work by security researchers during the last week has only increased the urgency,” he wrote.
To illustrate the urgency of this vulnerability, Kandek pointed to a blog post from Dan Kaminsky that reported that in one hour of setup he was able to crash standard Linux applications, such as apache, smbclient, gpg and mysql.
Also, a researcher at Yahoo, Kandek wrote, developed a working code execution against the Apache/PHP server.
The point, he concluded, was that it was vital for users to track their patching progress frequently as scans are crucial.