Security researchers have identified a serious vulnerability in an open-source library of code that is known as GNU C Library (glibc).
The post Major vulnerability found in GNU C Library appeared first on We Live Security.
Tag Archives: Vulnerability
Critical glibc Flaw Puts Linux Machines and Apps at Risk (Patch Immediately)
A highly critical vulnerability has been uncovered in the GNU C Library (glibc), a key component of most Linux distributions, that leaves nearly all Linux machines, thousands of apps and electronic devices vulnerable to hackers that can take full control over them.
Just clicking on a link or connecting to a server can result in remote code execution (RCE), allowing hackers to steal credentials, spy on users, seize control of computers, and many more.
The vulnerability is similar to the last year’s GHOST vulnerability (CVE-2015-0235) that left countless machines vulnerable to remote code execution (RCE) attacks, representing a major Internet threat.
GNU C Library (glibc) is a collection of open source code that powers thousands of standalone apps and most Linux distributions, including those distributed to routers and other types of hardware.
The recent flaw, which is indexed as CVE-2015-7547, is a stack-based buffer overflow vulnerability in glibc’s DNS client-side resolver that is used to translate human-readable domain names, like google.com, into a network IP address.
The buffer overflow flaw is triggered when the getaddrinfo() library function that performs domain-name lookups is in use, allowing hackers to remotely execute malicious code.
How Does the Flaw Work?
The flaw can be exploited when an affected device or app make queries to a malicious DNS server that returns too much information to a lookup request and floods the program’s memory with code.
This code then compromises the vulnerable application or device and tries to take over the control over the whole system.
It is possible to inject the domain name into server log files, which when resolved will trigger remote code execution. An SSH (Secure Shell) client connecting to a server could also be compromised.
However, an attacker need to bypass several operating system security mechanisms – like ASLR and non-executable stack protection – in order to achieve successful RCE attack.
Alternatively, an attacker on your network could perform man-in-the-middle (MitM) attacks and tamper with DNS replies in a view to monitoring and manipulating (injecting payloads of malicious code) data flowing between a vulnerable device and the Internet.
Affected Software and Devices
All versions of glibc after 2.9 are vulnerable. Therefore, any software or application that connects to things on a network or the Internet and uses glibc is at RISK.
The widely used SSH, sudo, and curl utilities are all known to be affected by the buffer overflow bug, and security researchers warn that the list of other affected applications or code is almost too diverse and numerous to enumerate completely.
The vulnerability could extend to a nearly all the major software, including:
- Virtually all distributions of Linux.
- Programming languages such as the Python, PHP, and Ruby on Rails.
- Many others that use Linux code to lookup the numerical IP address of an Internet domain.
- Most Bitcoin software is reportedly vulnerable, too.
Who are Not Affected
The good news is users of Google’s Android mobile operating system aren’t vulnerable to this flaw. As the company uses a glibc substitute known as Bionic that is not susceptible, according to a Google representative.
Additionally, a lot of embedded Linux devices, including home routers and various gadgets, are not affected by the bug because these devices use the uclibc library as it is more lightweight than hefty glibc.
The vulnerability was first introduced in May 2008 but was reported to the glibc maintainers July 2015.
The vulnerability was discovered independently by researchers at Google and Red Hat, who found that the vulnerability has likely not been publicly attacked.
The flaw was discovered when one of the Google’s SSH apps experienced a severe error called a segmentation fault each time it attempted to contact to a particular Internet address, Google’s security team reported in a blog post published Monday.
Where glibc went Wrong
Google researchers figured out that the error was due to a buffer overflow bug inside the glibc library that made malicious code execution attacks possible. The researchers then notified glibc maintainers.
Here’s what went wrong, according to the Google engineers:
“glibc reserves 2048 bytes in the stack through alloca() for the DNS answer at _nss_dns_gethostbyname4_r() for hosting responses to a DNS query. Later on, at send_dg() and send_vc(), if the response is larger than 2048 bytes, a new buffer is allocated from the heap and all the information (buffer pointer, new buffer size and response size) is updated.”
“Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow.”
Proof-of-Concept Exploit Released
Google bod Fermin J. Serna released a Proof-of-Concept (POC) exploit code on Tuesday.
With this POC code, you can verify if you are affected by this critical issue, and verify any mitigations you may wish to enact.
Patch glibc Vulnerability
Google researchers, working with security researchers at Red Hat, have released a patch to fix the programming blunder.
However, it is now up to the community behind the Linux OS and manufacturers, to roll out the patch to their affected software and devices as soon as possible.
For people running servers, fixing the issue will be a simple process of downloading and installing the patch update.
But for other users, patching the problem may not be so easy. The apps compiled with a vulnerable glibc version should be recompiled with an updated version – a process that will take time as users of affected apps have to wait for updates to become available from developers.
Meanwhile, you can help prevent exploitation of the flaw, if you aren’t able to immediately patch your instance of glibc, by limiting all TCP DNS replies to 1024 bytes, and dropping UDP DNS packets larger than 512 bytes.
For more in-depth information on the glibc flaw, you can read Red Hat blog post.
Hey, Apple User! Check If You are also Affected by the Sparkle Vulnerability
A pair of new security vulnerabilities has been discovered in the framework used by a wide variety of Mac apps leaves them open to Man-in-the-Middle (MitM) attacks.
The framework in question is Sparkle that a large number of third-party OS X apps, including Camtasia, uTorrent, Duet Display and Sketch, use to facilitate automatic updates in the background.
Sparkle is an open source
Vigilante Hackers Aim to Hijack 200,000 Routers to Make Them More Secure
The same “Vigilante-style Hacker,” who previously hacked more than 10,000 routers to make them more secure, has once again made headlines by compromising more than 70,000 home routers and apparently forcing their owners to make them secure against flaws and weak passwords.
Just like the infamous hacking group Lizard Squad, the group of white hat hackers, dubbed the White Team, is building
All Versions of Windows affected by Critical Security Vulnerability
Microsoft has released 13 security bulletins, six of which are considered to be critical, resolving a total of 41 security vulnerabilities in its software this month.
Every Windows version Affected:
One of the critical vulnerabilities affects all supported version of Windows, including Microsoft’s newest Windows 10 operating system, as well as Windows Server 2016 Tech Preview 4.
The
Oracle Issues Emergency Java Update for Windows
The US-based software maker Oracle delivered an unusual out-of-box emergency patch for Java in an effort to fix a during-installation flaw on the Windows platforms.
The successful exploitation of the critical vulnerability, assigned CVE-2016-0603, could allow an attacker to trick an unsuspecting user into visiting a malicious website and downloading files to the victim’s system before
Critical Flaws Found in NETGEAR Network Management System
Netgear, one of the most popular router manufacturers, has been vulnerable to two different flaws that could allow hackers to compromise your corporate network and connected devices.
Reported critical vulnerabilities reside in the Netgear’s ProSafe NMS300 Model (Network Management System) – a centralized and comprehensive management application for network administrators that enables them
Android has some critical remotely-exploitable security holes. But can you get the patch?
Remote code execution vulnerabilities have been found in the Android operating system, and patches released for Nexus devices.
But what about your smartphone? Is there a patch for you, and can you get your hands on it?
The post Android has some critical remotely-exploitable security holes. But can you get the patch? appeared first on We Live Security.
Google Patches Critical Remotely-exploitable Flaws in Latest Android Update
Google has released the February Security Update for Android that patches multiple security vulnerabilities discovered in the latest version of Android operating system.
In total, there were five “critical” security vulnerabilities fixed in the release along with four “high” severity and one merely “moderate” issues.
Remote Code Execution Flaw in WiFi
A set of two critical vulnerabilities has been found in the Broadcom WiFi driver that could be exploited by attackers to perform Remote Code Execution (RCE) on affected Android devices when connected to the same network as the attacker.
The vulnerabilities (CVE-2016-0801 and CVE-2016-0802) can be exploited by sending specially crafted wireless control message packets that can corrupt kernel memory, potentially leading to remote code execution at the kernel level.
“These vulnerabilities can be triggered when the attacker and the victim are associated with the same network,” reads the advisory. “This issue is rated as a Critical severity due to the possibility of remote code execution in the context of the kernel without requiring user interaction.”
Remote Code Execution Flaw in Mediaserver
Another set of two critical security vulnerabilities were discovered in Mediaserver that was targeted last summer by critical Stagefright vulnerabilities and exploits, allowing anyone to compromise an Android device by sending just a specially crafted MMS message.
The recently discovered flaws (CVE-2016-0803 and CVE-2016-0804) in Mediaserver could enable remote code execution (RCE) on affected Android devices through email, web browsing, or MMS files when processing media files.
Moreover, a separate vulnerability called elevation of privilege (CVE-2016-0810) was also discovered in Mediaserver that could be exploited to gain elevated capabilities, including Signature or SignatureOrSystem permissions privileges, that aren’t accessible to third-party apps.
Two Elevation of Privilege vulnerabilities has also been found in Qualcomm components: the Qualcomm Performance Module (CVE-2016-0805) and the Qualcomm Wi-Fi Driver (CVE-2016-0806). Both the flaws, rated as critical, leveraged an attacker to launch further attacks.
Another critically rated bug (CVE-2016-0807) discovered in the Debuggerd component could open the door to execute arbitrary code within the device’s root level. Debuggerd is a software tool used for debugging and analyzing Android crashes.
Other high severity bugs include:
- An elevation of privilege vulnerability in the Android Wi-Fi component
- A denial-of-service vulnerability in the Minikin library
- An information disclosure bug in libmediaplayerservice
The final set of vulnerabilities is an Elevation of Privilege flaw in Setup Wizard that could allow a hacker to bypass the Factory Reset Protection and gain access to the affected device.
All the Security patches are currently made available for Nexus devices only. Google also shared the patches with carrier and manufacturer partners on January 4, but users of other Android devices should have to wait until their devices receive an update.
Nexus device users are advised to patch the flaws by flashing their devices to this new build immediately. Users can also wait for the OTA (Over-the-Air) update that will be out in the next week or so.
Hacking Smartphones Running on MediaTek Processors
A dangerous backdoor has been discovered in the MediaTek processor that could be exploited to hack Android devices remotely.
MediaTek is a Taiwan-based hardware company that manufacture hardware chips and processor used in the smartphones and tablets.
The backdoor was discovered by security researcher Justin Case, who already informed MediaTek about the security issue via Twitter, as
