April 2, 2020

Buffer Overflow in glibc DNS Client Side Resolver

Buffer Overflow in glibc (CVE-2015-7547)

Are you affected?

Existing Gingsoft Online Vulnerability Scanner customers will get a free scan for this once the scanner plugin is updated.  We will then provide you via email if we see that you are vulnerable as well as sending the scan report.  You can check your version of glibc manually by using the ldd --version command (see below).  Any version greater than 2.9 which rolled out in May of 2008 is vulnerable to CVE-2015-7547.

Use ldd --version to check the version of glibc.
Use ldd –version to check the version of glibc.

What is it?

Google found that there is a buffer overflow vulnerable in the DNS client side resolver of glibc when performing dual A/AAAA DNS queries. The glibc library is in many distributions of Linux and Android.  Due to the CVE reservation, this was actually found on 29 September 2015, but kept quiet until now.  Software using the getaddrinfo() function may be exploited when the attacker controls the domain names, DNS servers, or if they acquire a man-in-the-middle posture.

Mitigation Options

  • Downgrade the glibc library to a safe version, all versions of glibc after 2.9 are vulnerable. Version 2.9 was roled out in May of 2008.
  • Google has found some mitigations that may help prevent exploitation if you are not able to immediately patch your instance of glibc. “The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack. Our suggested mitigation is to limit the response (i.e., via DNSMasq or similar programs) sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers which limit the response size for UDP responses with the truncation bit set.” Says Google.