Security teams from Google and Red Hat have warned of a serious vulnerability in the glibc library used by many GNU/Linux distributions, which can be used to attack servers through DNS resolution.
Google's Online Security Blog
announced the flaw last last night, having run into issues crashing an SSH client which were traced back to a flaw in glibc. Rather than simply causing instability, however, the team soon discovered a buffer overflow issue which could be exploited to run arbitrary code on a system through a malicious DNS query - though mitigated by protections elsewhere within the operating system, such as address space layout randomisation (ASLR).
Google's security team wasn't alone in its investigation, however: two researchers at Linux vendor Red Hat had also found the flaw and begun their own investigation. Teaming up, the researchers were able to develop and test a patch for the issue which has now begun being distributed to clients. The ubiquity of Linux in embedded appliances, from network routers through to 'smart' lightbulbs, could make entirely eradicating the flaw difficult, however: vendors frequently treat the firmware of such devices as inviolate, rarely keeping package versions up-to-date.
Interestingly, this isn't the first time the bug had been spotted. The project's bug tracker has an entry
dating back to July 2015 for the same issue, but it was given a low importance as it was not believed to be security related - a mistake which the new patch has now rectified.
In short, if you use Linux with the GNU packages: update glibc at your earliest convenience.
Want to comment? Please log in.