Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

02:55 PM
Connect Directly

Glibc Flaw Affects Thousands Of Linux Apps But How Dangerous Is It?

The difficulty involved in exploiting flaw could mitigate some of the risk, say some security researchers.

Security researchers appear somewhat divided over the extent of the danger posed by a major bug in a shared library used in thousands of Linux-based applications and systems worldwide.

Researchers at Google and Red Hat disclosed the vulnerability in glibc on Tuesday. They described the issue as a critical buffer overflow vulnerability which, when exploited, could give an attacker complete remote control of systems running the affected software.

The major Linux distributors and the glibc project, which maintains the library, have issued patches for fixing the issue in vulnerable products.

Glibc, or GNU C Library, is a version of the main C-Library (libc) that Unix systems rely on to run. It contains a set of all the standard features and functions required by Unix systems.  Though there are multiple versions of the C-library, glibc is by far the most popular and is used by all major Linux distributions, according to security researchers.

“Pretty much every program uses functions defined in this library,” says Johannes Ullrich, dean of research for the SANS Technology Institute. BSD based operating systems like OS X, iOS, OpenBSD,and Free BSD tend to use their own version of libc. “But even in these cases, it is possible to find individual pieces of software that use glibc, in particular if the software was ported from a Linux based system,” he says.

As a result, potentially thousands of applications are potentially vulnerable to the flaw, disclosed this week.

The flaw itself is present in the glibc DNS client side resolver and is triggered when a particular library function called getaddrinfo() is used.

“The issue is in the way that domain name responses are handled,” says Tod Beardsley, security research manager at Rapid7. “An attacker who controls a DNS server can cause a program to crash, and under some circumstances can hijack the execution path of the program.” Software packages on both traditional platforms and embedded devices, such as routers and IoT devices are vulnerable to the issue, he says.

According to Google and Red Hat, attackers using domain names or DNS servers under their control or via a man-in-the-middle attack can exploit any software that uses the vulnerable library.

“[This is a] fairly big deal since DNS is a core infrastructure component for the Internet, and this involves processing of malicious DNS replies to legitimate DNS requests,” says Mark Loveless senior security researcher at Duo Security. “As it is in glibc, a core component used in most Linux distributions, it exposes a lot of systems to risk.”

But not everyone is agreed on the actual extent of the danger posed by the bug.

Ullrich is of the opinion that the bug is not terribly difficult to exploit if left unpatched. Google already has a working exploit for the flaw and any attacker reasonably skilled in exploit development could likely do the same, he says.

In order to exploit the flaw, the attacker has to trick the victim to send a specific DNS query but that is typically not very hard, he says. “When visiting websites, processing emails and doing pretty much anything network related your system constantly emits DNS queries. The attackers will then respond with the exploit. So the attacker may need to be somewhat patient, but beyond that, it shouldn’t be too difficult to exploit this flaw,” Ullrich says.

But others like Loveless think that the danger posed by the bug is somewhat mitigated by the work required to actually exploit it.

“One of the complexities involves being in the right place,” he says. “The attacker must be able to either anticipate the DNS request before sending the malicious reply, or to sniff the victim's traffic and in real time respond to a legitimate DNS request with a malicious reply.”

In order for this to happen, the attacker has to be in control of a domain or a DNS server that they know the victim will connect to. Or they need to be in close enough proximity to the victim to be able to launch a Man-In-The-Middle attack, Loveless says.

Developing a working exploit is not going to be especially easy either, he says. The attacker would need to not only have an exploit capable of triggering the flaw but also of bypassing security measures like Address Space Layout Randomization (ASLR) that the target system may have in place for dealing with buffer overflow attacks.

Most IoT devices, which are where the flaw is likely to be highly prevalent, also only connect to a few, known endpoints, Beardsley says. So [an attacker] would either need to hijack the network connection entirely via a Man-in-the-Middle attack, or find a process that makes connections to user-supplied domains, such as a web crawler that follows arbitrary links,” he says.

“Therefore, while the vulnerability is interesting, I don't find [it] all that dangerous for the vast majority of the Internet,” Beardsley said. “People who can patch, should, and those who cannot patch likely have more pressing issues, like exposed Shellshock vulnerabilities that should be addressed first.”

More on this topic:

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-04-19
Adobe Robohelp version 2020.0.3 (and earlier) is affected by an uncontrolled search path element vulnerability that could lead to privilege escalation. An attacker with permissions to write to the file system could leverage this vulnerability to escalate privileges.
PUBLISHED: 2021-04-19
Innorix Web-Based File Transfer Solution versuibs prior to and including contains a vulnerability that could allow remote files to be downloaded and executed by setting the arguments to the internal method. A remote attacker could induce a user to access a crafted web page, causing damage...
PUBLISHED: 2021-04-19
XMB is vulnerable to cross-site scripting (XSS) due to inadequate filtering of BBCode input. This bug affects all versions of XMB. All XMB installations must be updated to versions or
PUBLISHED: 2021-04-18
This affects all versions of package killing. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
PUBLISHED: 2021-04-18
This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.