24 Feb 2016

Major vulnerability found in GNU C Library



Security researchers have identified a serious vulnerability in an open-source library of code that is known as GNU C Library (glibc).

Experts believe hundreds of thousands of devices and apps are at risk of a cyberattack as a result of the flaw, which has been present since 2008.

A Google engineer discovered the bug by chance, the tech giant revealed in a detailed blog.

“[He] noticed that their SSH client segfaulted every time they tried to connect to a specific host,” Fermin J. Serna, a staff security engineer at Google, and his colleague Kevin Stadmeyer, a technical program manager, elaborated.


“That engineer filed a ticket to investigate the behavior and after an intense investigation we discovered the issue lay in glibc and not in SSH as we were expecting.”

Following on from this, the team launched an investigation to see whether this vulnerability could indeed be exploited. After “some intense hacking sessions”, that proved to be the case.

This means a cybercriminal can remotely execute malicious code into a device or app, courtesy of this flaw.

“Many people are running around right now trying to work out if this is truly catastrophic or whether we have dodged a bullet,” Prof Alan Woodward, a security expect from the University of Surrey, told the BBC.

What’s most troubling about this particular flaw, aside from the fact that it has been around for the last seven years, is that it is evident in the so-called ‘building blocks’ of the world wide web.

A patch has since been released, which addresses the vulnerability, Google stated. It has also issued some advice in the event that the patch cannot immediately be implemented.

“The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack,” it highlighted.

“Our suggested mitigation is to limit the response sizes accepted by the DNS resolver locally as well as to ensure that DNS queries are sent only to DNS servers which limit the response size for UDP responses with the truncation bit set.”

Welivesecurity