New Vulnerability Affecting Linux

18 February 2016 | by Natalie Fayle

Details of a new vulnerability have recently been released that affects glibc (or eglibc) software packages for the majority of Linux distributions currently deployed. In short, glibc's DNS client side resolver is vulnerable to a buffer overflow when specially crafted data is presented to the getaddrinfo() library function. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.

The common software affected that uses this library includes ssh, sudo, and curl (and likely many more).

You can read more about it here:

https://googleonlinesecurity.blogspot.co.uk/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

https://sourceware.org/ml/libc-alpha/2016-02/msg00416.html

Managed Server Customers

Of course we’ll be taking care of this on behalf of our managed customers so we’ll be carrying out the updates over the next couple of days.

Unmanaged Server Customers

Self managed customers will need to update libc6 and either reboot their server to pick up the new libraries, or once updated, manually restart all services that are trying to use the older code.

You can view which services need to be restarted (if you'd rather not reboot) once libc6 has been updated by issuing the following command:

 

lsof +c0 -d DEL | awk 'NR==1 || /libc-/ {print $2,$1}'

 

Fixed package versions for libc6 are as follows:

RHEL 6/CentOS 6: 2.12-1.166.el6_7.7

RHEL 7/CentOS 7: 2.17-106.el7_2.4

 

Debian 6: 2.11.3-4+deb6u11 (via LTS repo)

Debian 7: 2.13-38+deb7u10 (via security repo)

Debian 8: 2.19-18+deb8u3 (via security repo)

 

Ubuntu 12.04 LTS: 2.15-0ubuntu10.13

Ubuntu 14.04 LTS: 2.19-0ubuntu6.7

Ubuntu 15.10: 2.21-0ubuntu4.1

 

Patching the vulnerability

If you’re using:

Debian Squeeze (6.0) or newer,

Ubuntu Precise  LTS (12.04.5) or newer,

CentOS 6.0 or newer,

or RHEL 6.0 or newer, you can upgrade and reboot/restart with the below

commands.

 

If you’re using:

Debian Lenny (5.0) or lower,

Ubuntu Lucid  LTS (10.04) or lower,

CentOS 5.0 or lower,

or RHEL 5.0 or lower, please upgrade your operating system.

 

 

Debian/Ubuntu

To upgrade

$ sudo apt-get clean && sudo apt-get update && sudo apt-get -y install libc6 libc-bin libc6-dev libc-dev-bin

 

To reboot (recommended for maximum security)

$ sudo reboot

 

To restart affected system services without a reboot, do the following as the root user

$ sudo apt-get -y install lsof
# servicelist=""; for problemservice in `lsof 2> /dev/null | grep libc | awk '{print $1}' | sort | uniq`; do for service in `ls /etc/init.d/* | awk -F "/etc/init.d/" '{print $2}'`; do if [ "$problemservice" == "$service" ]; then if [ -n "`service $problemservice status | grep running`" ]; then servicelist+=" $problemservice"; else echo "$problemservice found but service is not running"; fi; fi; done; done; count=`tr -dc ' ' <<<"$servicelist" | wc -c`; servicelist=`echo $servicelist | xargs`; echo -n "$count services have to be restarted ($servicelist): continue (y/N)? "; read continue; if [ $continue == "y" ]; then for service in $servicelist; do /etc/init.d/$service restart; done; else echo "Leaving without restarting services"; fi

 

RHEL/CentOS

To upgrade

$ sudo yum clean all && sudo yum -y update glibc glibc-common

 

To reboot (recommended for maximum security)

$ sudo reboot

 

To restart affected system services without a reboot, do the following as the root user

$ yum -y install lsof
# servicelist=""; for problemservice in `lsof 2> /dev/null | grep libc | awk '{print $1}' | sort | uniq`; do for service in `ls /etc/init.d/* | awk -F "/etc/init.d/" '{print $2}'`; do if [ "$problemservice" == "$service" ]; then if [ -n "`service $problemservice status | grep running`" ]; then servicelist+=" $problemservice"; else echo "$problemservice found but service is not running"; fi; fi; done; done; count=`tr -dc ' ' <<<"$servicelist" | wc -c`; servicelist=`echo $servicelist | xargs`; echo -n "$count services have to be restarted ($servicelist): continue (y/N)? "; read continue; if [ $continue == "y" ]; then for service in $servicelist; do /etc/init.d/$service restart; done; else echo "Leaving without restarting services"; fi

Like what you've read?