February 18, 2016 By Larry Loeb 3 min read

Google, with the help of Red Hat, recently discovered a buffer overflow problem in the GNU C Library (commonly referred to as glibc), naming it CVE-2015-7547. The issue affects all versions of glibc since 2.9, so taking the time to update and mitigate the problem is critical. Furthermore, the vulnerability can affect any program operating under Linux, which uses this library for many of its core functions.

What’s the Problem?

As reported, the glibc Domain Name System (DNS) client-side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used; software utilizing this function can be potentially exploited through attacker-controlled domain names and DNS servers. An attacker that is able to insert a false address can subvert the normal DNS system and fool the app into accessing a Web resource it had no intention of visiting.

“Overflowing bytes are entirely under the control of the attacker and are the result of a crafted DNS response,” according to Carlos O’Donnell of Red Hat. “A back-of-the-envelope analysis shows it should be possible to write correctly formed DNS responses with attacker-controlled payloads that will penetrate a DNS cache hierarchy and therefore allow attackers to exploit machines behind such caches.”

What does this mean? All Linux servers and Web frameworks, such as Rails, PHP and Python, would be at risk to have this buffer overflow affect their execution (by misdirecting the URLs in their API calls, for example) as well as any Android apps running glibc.

Any type of Linux-based app that makes a domain name call as part of its logic flow would also be affected. The affected application would only have to query the attacker-controlled domain names or servers, and the false responses the app could receive would impair them in any way the attacker wished.

Additionally, a man-in-the-middle (MitM) attack could be mounted. This exploit would allow the attacker to manipulate data passing from an app to the Internet by first making an app’s output send to their domain and resending it from there.

The Buffer Overflow Mechanism

The vulnerability relies on an oversized User Datagram Protocol (UDP) or Transmission Control Protocol (TCP) response. If the response is larger than 2048 bytes, a new buffer will be allocated from the heap and the buffer pointer, new buffer size and response size are updated.

If the response is immediately followed by another response, a mismatch between the stack buffer and the new heap allocation can overwrite the stack. This leads to the stack-based buffer overflow because the DNS response is larger than the stack buffer used to originally store it even though a heap buffer had been allocated.

O’Donnell also said they had performed proof-of-concept tests on an exploit. “Local testing shows we have been able to control at least the execution of one free() call with the buffer overflow and gained control of EIP. Further exploitation was not attempted, only this single attempt to show that it is very likely that execution control can be gained without much more effort.”

Time to Patch and Mitigate

While patching is the best course of action, there might be mitigation strategies, as well.

“Our suggested mitigation is to limit the response (i.e., via Dnsmasq or similar programs) sizes accepted by the DNS resolver locally to ensure that DNS queries are sent only to DNS servers, which limit the response size for UDP responses with the truncation bit set,” explained Google researcher Fermin J. Serna.

In simpler terms, keep the buffer from overflowing by manually limiting its size, which prevents it from causing a request for more buffer memory. This way, no mismatch will occur, and no overflow ensues.

In any case, now that the flaw is widely known, an immediate response is necessary from system administrators to prevent exploiters from using it.

More from

What does resilience in the cyber world look like in 2025 and beyond?

6 min read -  Back in 2021, we ran a series called “A Journey in Organizational Resilience.” These issues of this series remain applicable today and, in many cases, are more important than ever, given the rapid changes of the last few years. But the term "resilience" can be difficult to define, and when we define it, we may limit its scope, missing the big picture.In the age of generative artificial intelligence (gen AI), the prevalence of breach data from infostealers and the near-constant…

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today