Security glibc vulnerability CVE-2015-7547

dorobo · Feb 17, 2016

just in case you haven't set up yum for auto updates

glibc has a vulnerability that could result in remote code execution

glibc Linux remote code execution vulnerability | Threatpost | The first stop for security news

eva2000 · Feb 17, 2016

ah explains why i got a yum update notice for this

centos 6

Code:

rpm -qa --changelog glibc | head -n3
* Thu Jan 28 2016 Carlos O'Donell <carlos@redhat.com> - 2.12-1.166.7
- Update fix for CVE-2015-7547 (#1296028).

centos 7

Code:

rpm -qa --changelog glibc | head -n9
* Fri Feb 05 2016 Florian Weimer <fweimer@redhat.com> - 2.17-106.4
- Revert problematic libresolv change, not needed for the
  CVE-2015-7547 fix (#1296030).

* Fri Jan 15 2016 Carlos O'Donell <carlos@redhat.com> - 2.17-106.3
- Fix CVE-2015-7547: getaddrinfo() stack-based buffer overflow (#1296030).
- Fix madvise performance issues (#1298930).
- Avoid "monstartup: out of memory" error on powerpc64le (#1298956).

eva2000 · Feb 17, 2016

CVE-2015-7547 - Red Hat Customer Portal

CVE-2015-7547
Impact:
Critical
Public Date:
2016-02-16
Bugzilla:
1293532: CVE-2015-7547 glibc: getaddrinfo stack-based buffer overflow
A stack-based buffer overflow was found in the way the libresolv library performed dual A/AAAA DNS queries. A remote attacker could create a specially crafted DNS response which could cause libresolv to crash or, potentially, execute code with the permissions of the user running the library. Note: this issue is only exposed when libresolv is called from the nss_dns NSS service module.

Find out more about CVE-2015-7547 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement
This issue does not affect the versions of glibc as shipped with Red Hat Enterprise Linux 4 and 5.
Click to expand...

Red Hat Enterprise Linux version 7 (glibc) RHSA-2016:0176 2016-02-16

Red Hat Enterprise Linux version 6 (glibc) RHSA-2016:0175 2016-02-16

rdan · Feb 18, 2016

Thanks!

# rpm -qa --changelog glibc | head -n9
* Fri Feb 05 2016 Florian Weimer <fweimer@redhat.com> - 2.17-106.4
- Revert problematic libresolv change, not needed for the
CVE-2015-7547 fix (#1296030).

* Fri Jan 15 2016 Carlos O'Donell <carlos@redhat.com> - 2.17-106.3
- Fix CVE-2015-7547: getaddrinfo() stack-based buffer overflow (#1296030).
- Fix madvise performance issues (#1298930).
- Avoid "monstartup: out of memory" error on powerpc64le (#1298956).
Click to expand...

eva2000 · Feb 18, 2016

well also good to setup yum-cron for auto yum updates Automatic nightly YUM updates with yum-cron | Centmin Mod Community

rdan · Feb 18, 2016

And some that I work for don't want me to auto update MariaDB .
They don't want even just a second downtime without preparation or doing on off peak hours.

eva2000 · Feb 18, 2016

RoldanLT said: ↑

And some that I work for don't want me to auto update MariaDB .
They don't want even just a second downtime without preparation or doing on off peak hours.
Click to expand...

Working on my own yum-cron script specific to Centmin Mod stack environments too https://community.centminmod.com/posts/24401/

eva2000 · Feb 18, 2016

FYI, folks might need to reboot their servers after glibc update due to services that use glibc or at the very least restart services which use glibc
list of processes on centos 7 install that use glibc for me

Code:

lsof | awk '/libc-/ {print $2,$1,$4,$NF}' | uniq
1 systemd mem /usr/lib64/libc-2.17.so
100 dbus-daem mem directory)
115 agetty mem directory)
117 agetty mem directory)
358 sshd mem directory)
360 bash mem directory)
657 systemd-u mem /usr/lib64/libc-2.17.so
662 systemd-j mem /usr/lib64/libc-2.17.so
1074 sshd mem /usr/lib64/libc-2.17.so
1116 systemd-l mem /usr/lib64/libc-2.17.so
3006 php-fpm mem /usr/lib64/libc-2.17.so
3006 php-fpm mem /usr/lib64/libc-client.so.2007
7500 master mem /usr/lib64/libc-2.17.so
7502 qmgr mem /usr/lib64/libc-2.17.so
10670 nsd mem /usr/lib64/libc-2.17.so
10672 nsd mem /usr/lib64/libc-2.17.so
10673 nsd mem /usr/lib64/libc-2.17.so
10698 mysqld mem /usr/lib64/libc-2.17.so
10698 mysqld mysql /usr/lib64/libc-2.17.so
11965 bash mem /usr/lib64/libc-2.17.so
12059 nginx mem /usr/lib64/libc-2.17.so
12060 nginx mem /usr/lib64/libc-2.17.so
12060 nginx nginx /usr/lib64/libc-2.17.so
12061 nginx mem /usr/lib64/libc-2.17.so
12061 nginx nginx /usr/lib64/libc-2.17.so
12147 pickup mem /usr/lib64/libc-2.17.so
12164 crond mem /usr/lib64/libc-2.17.so
12243 lfd mem /usr/lib64/libc-2.17.so
12334 lsof mem /usr/lib64/libc-2.17.so
12335 awk mem /usr/lib64/libc-2.17.so
12336 uniq mem /usr/lib64/libc-2.17.so
12337 lsof mem /usr/lib64/libc-2.17.so
12370 pure-ftpd mem /usr/lib64/libc-2.17.so
12626 rsyslogd mem /usr/lib64/libc-2.17.so
12626 in:imjour root /usr/lib64/libc-2.17.so
12626 rs:main root /usr/lib64/libc-2.17.so
21335 memcached mem /usr/lib64/libc-2.17.so
21335 memcached nobody /usr/lib64/libc-2.17.so

for centos 6.x services with init.d files

Code:

for s in $(lsof | awk '/libc-/ {print $1}' | uniq ); do if [ -f /etc/init.d/$s ]; then echo $s; fi; done
nsd
lfd
php-fpm
sshd
ntpd
haveged
memcached
nginx
crond
sshd

Code:

for s in $(lsof | awk '/libc-/ {print $1}' | uniq ); do if [ -f /etc/init.d/$s ]; then ps aux | grep $s | grep -v grep >/dev/null; ON=$?;    if [[ "$ON" = '0' ]]; then echo $s;  echo "/etc/init.d/$s restart";  /etc/init.d/$s restart; fi;    fi; done

For CentOS 7 Critical glibc buffer overflow vulnerability in getaddrinfo() on Linux (CVE-2015-7547 & CVE-2015-5229)

Code:

systemctl daemon-reexec

eva2000 · Feb 18, 2016

Media coverage

Glibc: Mega bug may hit thousands of devices - BBC News

Patch Linux now, Google, Red Hat warn, over critical glibc bug | ZDNet

Extremely severe bug leaves dizzying number of software and devices vulnerable | Ars Technica

GHOST glibc Vulnerability Affects WordPress and PHP applications

guess more updates to come ?

“A big deal”
"It's a big deal," Washington, DC-based security researcher Kenn White told Ars, referring to the vulnerability. "This is a core bedrock function across Linux. Things that do domain name lookups have a real vulnerability if the attacker can answer."

The widely used secure shell, sudo, and curl utilities are all known to be vulnerable, and researchers warn that the list of other affected apps or code is almost too diverse and numerous to fully enumerate. Using a proof-of-concept exploit released Tuesday, White was able to determine that the version of the Wget utility he uses to test and query Web servers was vulnerable. He said he suspects that the vulnerability extends to an almost incomprehensibly large body of software, including virtually all distributions of Linux; the Python, PHP, and Ruby on Rails programming languages; and many other things that uses Linux code to look up the numerical IP address of an Internet domain. Most Bitcoin software is reportedly vulnerable, too.
Click to expand...

sheer luck ?

To the surprise of the Google researchers, they soon learned that glibc maintainers had been alerted to the vulnerability last July. They also learned that people who work for the Red Hat Linux distribution had also independently discovered the bug and were working on a fix.

"This was an amazing coincidence, and thanks to their hard work and cooperation, we were able to translate both teams’ knowledge into a comprehensive patch and regression test to protect glibc users," the Google researchers wrote.
Click to expand...

for GHOST glibc Vulnerability Affects WordPress and PHP applications

After the disclosure of extremely critical GHOST vulnerability in the GNU C library (glibc) — a widely used component of most Linux distributions, security researchers have discovered that PHP applications, including the WordPress Content Management System (CMS), could also be affected by the bug.
"GHOST" is a serious vulnerability (CVE-2015-0235), announced this week by the researchers of California-based security firm Qualys, that involves a heap-based buffer overflow in the glibc function name - "GetHOSTbyname()." Researchers said the vulnerability has been present in the glibc code since 2000.
Though the major Linux distributors such as Red Hat, Debian and Ubuntu, have already updated their software against the flaw, GHOST could be used by hackers against only a handful of applications currently to remotely run executable code and silently gain control of a Linux server.

As we explained in our previous article, heap-based buffer overflow was found in__nss_hostname_digits_dots() function, which is particularly used by the gethostbyname() andgethostbyname2() glibc function call.
Since, PHP applications including WordPress also use the gethostbyname() function wrapper, the chance of the critical vulnerability becomes higher even after many Linux distributions issued fixes.
Click to expand...
HOW TO CHECK YOUR SYSTEM AGAINST GHOST FLAW

Sucuri also provided the following test PHP code, which an admin can run on their server terminal. If the code returns a segmentation fault, then your Linux server is vulnerable to the GHOST vulnerability.
Code:
php -r '$e="0";for($i=0;$i<2500;$i++){$e="0$e";} gethostbyname($e);' Segmentation fault
Click to expand...
i get
Code:
php -r '$e="0";for($i=0;$i<2500;$i++){$e="0$e";} gethostbyname($e);' Segmentation fault
PHP Warning:  gethostbyname(): Host name is too long, the limit is 255 characters in Command line code on line 1
Code:
php -r '$e="0";for($i=0;$i<2500;$i++){$e="0$e";} gethostbyname($e);'                  
PHP Warning:  gethostbyname(): Host name is too long, the limit is 255 characters in Command line code on line 1

Xon · Feb 18, 2016

eva2000 said: ↑

well also good to setup yum-cron for auto yum updates Automatic nightly YUM updates with yum-cron | Centmin Mod Community
Click to expand...

Nightly cron isn't enough for this nightmare. This affects basically everything that you nearly need to restart every service on the box to be safe. Might as well do a fully reboot.

eva2000 · Feb 18, 2016

Xon said: ↑

Nightly cron isn't enough for this nightmare. This affects basically everything that you nearly need to restart every service on the box to be safe. Might as well do a fully reboot.
Click to expand...

Yeah that's why my centmin mod custom yumupdates.sh script I am working on (based off of yum-cron), will also detect glibc package updates (via querying the yum history info id of last yum update made) and auto restart all services attached associated with libc-* AND are actually services which are already running ONLY. Not 100% fool proof, but a stop gap measure until you can schedule a server reboot i.e. when sleeping

Matt · Feb 19, 2016

I'm just going through and prepping everything for reboots over night tonight. All the cPanel servers have already got the update from the nightly yum.cron they run.

Matt · Feb 19, 2016

Debian are recommending a full reboot after the patch is applied

Debian -- Security Information -- DSA-3481-1 glibc

eva2000 · Feb 19, 2016

Yup reboot is best when you can

trxerz · Feb 20, 2016

eva2000 said: ↑

well also good to setup yum-cron for auto yum updates Automatic nightly YUM updates with yum-cron | Centmin Mod Community
Click to expand...

I've setup yum-cron but never got any notice, there are any additional steps?
And there's a way to check if I already have the patched version?

eva2000 · Feb 21, 2016

trxerz said: ↑

I've setup yum-cron but never got any notice, there are any additional steps?
And there's a way to check if I already have the patched version?
Click to expand...

check your spam and junk folders as emails from root usually get trapped there - you can setup a filter rule for emails from root@yourhostname to not go to spam and label/filter then etc

rpm changelog commands posted at Security - glibc vulnerability CVE-2015-7547 | Centmin Mod Community should verify if you have CVE-2015-7547 fixed

Log in / Register

Forums

Join the community today

Security glibc vulnerability CVE-2015-7547

dorobo Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Xon Active Member

eva2000 Administrator Staff Member

Matt Well-Known Member

Matt Well-Known Member

eva2000 Administrator Staff Member

trxerz Member

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Join the community today

Security glibc vulnerability CVE-2015-7547

dorobo Active Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

rdan Well-Known Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

eva2000 Administrator Staff Member

Xon Active Member

eva2000 Administrator Staff Member

Matt Well-Known Member

Matt Well-Known Member

eva2000 Administrator Staff Member

trxerz Member

eva2000 Administrator Staff Member

.