Google and Red Hat Discover Massive DNS Security Flaw
Both Google and Red Hat have confirmed the existence of a security flaw (CVE ID: CVE-2015-7547) in GNU software project glibc that allows the execution of arbitrary code via a specially crafted DNS response. The flaw is a stack-based buffer overflow in the send_dg
and the send_vc
procedures of the libresolv segement of glibc and has existed since version 2.9. The way an attack would work is this: The attacker would prompt the target machine to look up a specially crafted domain, which would prompt a DNS server to reply with a result that exceeds the maximum acceptable length and thus cause a buffer overflow on the target machine. This, in turn, could allow an attacker to execute arbitrary code.
The good news, however, is that they have developed a patch for this issue. I strongly urge all system administrators to apply this patch if they have not done so already. The severity level of this issue is critical.