The Glibc Project has announced a critical vulnerability affecting systems using the glibc DNS client-side resolver, that could, under certain conditions, lead to remote code execution on a system using glibc.
NOTE: This vulnerability affects a subroutine in the glibc library itself, not Duo’s service or Duo’s Linux-based integrations.
The disclosed vulnerability would allow an attacker to potentially execute arbitrary code on the system. Specially crafted oversized DNS responses sent as a reply to legitimate DNS requests allow attackers to exploit a stack-based buffer overflow vulnerability in the getaddrinfo() library call in glibc versions 2.9 or later. This vulnerability was assigned CVE-2015-7547.
Analysis
Red Hat and the Google Security Team report that systems using glibc are impacted, but did not provide a list of downstream products. The most immediate systems that might impact Duo customers would be Linux-based systems, although potentially any non-Windows system could be impacted (including mobile devices).
Neither Red Hat nor the Google Security Team are aware of active exploitation of this vulnerability, though due to the open-source nature of the vulnerability it is expected that exploit code will surface.
For the vulnerability to be exploited, the attacker would need to use one of the following vectors:
- Attacker-controlled DNS server
- Attacker-controlled domain
- Man-in-the-middle attack
- “Drive-by” attack
Not all of these vectors are commonly used, so this does limit the scope. Additionally, the attacker would have to bypass any security mitigation techniques on the target system (such as ASLR). Therefore, the scope and impact of these vulnerabilities seemed somewhat limited for now, but as stated exploit code is expected to surface so the scope and impact could change rapidly.
Solution
Due to the emerging risks outlined above, we strongly recommend that affected customers apply system updates to affected systems as soon as patches become available and as soon as operationally feasible. If you are unsure about patch availability for your system, visit the security section of your distribution’s website, and all Linux distributions have email announce lists for security issues with archives online.
Duo Labs is currently monitoring the status of this issue and will provide more information as deemed necessary. Contact us at labs@duosecurity.com.