On Tuesday, 16 February 2016, Google security researchers Fermin J. Serna and Kevin Stadmeyer announced the discovery of a vulnerability in the GNU C library (called “glibc” or “libc6”, depending on the specific platform) that underlies many Unix/Linux systems. Similar to the GHOST vulnerability, exploitation of this vulnerability involves a buffer overflow that can cause a system crash or allow an attacker to remotely execute malicious code.
How It Works
When the Google researchers reported the vulnerability to the C library maintainers, they discovered that the bug had previously been reported in July 2015 (hence its 2015 CVE number). Red Hat researchers had been working quietly to understand the full extent of this issue, and they presumably, in conjunction with the Google researchers, waited until they had an effective patch in place before making their announcement public.
In short, this exploit leaves any Linux based cloud server that uses glibc and performs domain name lookups potentially vulnerable to attack. Specifically, the proof-of-concept the researchers have demonstrated employs specially crafted packets that cause the getaddrinfo() function to mishandle certain memory buffers, triggering a buffer overflow (a commonly used tactic among those who look for vulnerabilities to exploit). The publicly available proof-of-concept causes a server to crash; the researchers have withheld the proof-of-concept code that would allow for remote code execution.
Since so many server functions utilize the affected library–including sudo, curl, and ssh, to name a few–patching glibc is the safest path to protect your servers from this sort of exploit. While there is no evidence of this vulnerability being exploited in the wild, any server running version 2.9 or later of glibc should be updated to the patched version as soon as possible (if you are running a version of the C library older than 2.9, your best bet is still to upgrade to address any of the other known vulnerabilities that the intervening upgrades have patched).
How To Identify Your Version of glibc
You can identify your currently running version of the C library you are using on the command line with the following command:
Example of output from `ldd –version`
Patched glibc Versions
Most repositories now have patched versions of the library available through their respective package managers, including the following (likely non-exhaustive) list:
- CentOS 6: glibc-2.12-1.166.el6_7.7
- CentOS 7: glibc-2.17-106.el7_2.4
- Ubuntu 15.10: libc6 2.21-0ubuntu4.1
- Ubuntu 14.04 LTS: libc6 2.19-0ubuntu6.7
- Ubuntu 12.04 LTS: libc6 2.15-0ubuntu10.13
- Debian 6: libc6 2.11.3-4+deb6u11
- Debian 7: libc6 2.13-38+deb7u10
- Debian 8: libc6 2.19-18+deb8u3
- Debian Sid (unstable): libc6 2.21-8
- Arch Linux: glibc-2.23-1
How To Update the glibc Vulnerability
The simplest way to update will be through your respective package managers.
sudo yum update glibc
sudo apt-get install libc6
sudo apt-get install libc6
sudo pacman -S "glibc>=2.23"
Once you install the updated version, you will need to restart each service that uses the C library to ensure they are using the patched version. Your safest bet is to schedule a reboot of your cloud server.
Update (2016-02-18): Edited the Debian package names to correct the name of the C library package from “eglibc” to “libc6”.
Update (2016-02-24): Added the patched glibc version for Arch Linux along with update instructions.