How To Patch and Protect Linux Glibc Getaddrinfo Stack-based Buffer Overflow Zero Day Vulnerability CVE-2015-7547 and CVE-2015-5229 [ 16/Feb/2016 ]
A stack-based critical buffer overflow was found in the way the libresolv library (glibc) performed dual A/AAAA DNS queries. A remote attacker could crash or, potentially, execute code running the library on Linux. How do I patch and protect my server or workstation against the glibc getaddrinfo on Linux operating system?
GNU C Library (glibc) could be made to crash or run programs or commands if it received specially crafted network traffic. The vulnerability was first reported by Google and Red Hat.
What is the GNU C Library vulnerability?
All the versions of glibc since 2.9 are affected by this bug. The exploit will likely trigger a DNS lookup from a vulnerable system. DNS-based remote code execution vulnerability can cause serious problems. The CVE-2015-5229 causes calloc to return non-zero memory. This can also use to create a denial of service attack. The best option is to patch both Linux based server and client/workstation/laptop against CVE-2015-7547 and CVE-2015-5229.
A list of affected Linux distributions
Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux Server 6
CentOS Linux 7
CentOS Linux 6
Debian Linux 6 squeeze
Debian Linux 7 wheezy
Debian Linux 8 jessie
Ubuntu Linux 15.10
Ubuntu Linux 14.04 LTS
Ubuntu Linux 12.04 LTS
SUSE Linux Enterprise Linux 11
SUSE Linux Enterprise Linux 12
openSUSE Leap 42.1
What GNU C library (Glibc) version does my Linux system use?
Type the following apt-get command: $ ldd --version Sample outputs from Ubuntu Linux 14.04 LTS:
ldd (Ubuntu EGLIBC 2.19-0ubuntu6.6) 2.19
Copyright (C) 2014 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
Fix the Glibc Getaddrinfo vulnerability on a Debian or Ubuntu Linux
Type the following command: $ sudo apt-get update $ sudo apt-get upgrade Sample outputs:
Here are fixed versions:
Ubuntu 15.10: libc6 2.21-0ubuntu4.1
Ubuntu 14.04 LTS: libc6 2.19-0ubuntu6.7
Ubuntu 12.04 LTS: libc6 2.15-0ubuntu10.13
You must restart the services that depends upon glibc or best option is to reboot the box as per your schedule: $ sudo reboot
Fix the Glibc Getaddrinfo vulnerability on a RHEL/CentOS Linux
Type the following yum command: $ sudo yum clean all $ sudo yum update You must restart the services that depends upon glibc or best option is to reboot the box as per your schedule: $ sudo reboot RHEL/CentOS 7 users can simply run the following command and avoid the rebooting system: $ sudo systemctl daemon-reexec
Fix the Glibc Getaddrinfo on a SUSE Linux Enterprise (and opensuse)
To simply update installed glibc packages with their newer available versions, run: # zypper up
The author is the creator of nixCraft and a seasoned sysadmin, DevOps engineer, and a trainer for the Linux operating system/Unix shell scripting. Get the latest tutorials on SysAdmin, Linux/Unix and open source topics via RSS/XML feed or weekly email newsletter.