Remediating The glibc DNS Bug Or: How To Survive An Inherently Flawed Digital Landscape
February 23, 2016
4 minute read
Buffer overflowing—or the stuffing of more data into a block of memory than allocated—has been one of the more common security vulnerabilities to be exploited in recent years. Last week Google and RedHat security researchers discovered a particularly distressing buffer overflow vulnerability in one of the key underpinnings of the internet: the glibc DNS bug. And while the glibc team has provided a fix for most Linux distros, it's questionable whether the flaw can be eradicated any time soon, especially given the ubiquity of Linux systems and the GNU Project's implementation of the C standard library.
For the uninitiated, Domain Name Services (DNS) are at the heart of virtually every internet transaction. DNS essentially translates domain names into IP addresses; it's what makes web requests via domain name possible, as servers only understand numerical values. The vulnerability in question lies in the GNU C Library's faulty domain name lookup function getaddrinfo()—by exploiting the flaw, attackers could remotely execute malicious custom-crafted code. All versions of glibc after 2.9 are vulnerable.
Python and Haskell crapping out on the glibc DNS bug. Source: dankaminsky.com.
Two aspects of this vulnerability make it especially troublesome: the ubiquity of glibc and the nature/criticality of DNS at large. Glibc is used by most versions of Linux and countless standalone applications, and is embedded on the OS level in firewall and IoT devices, among others.
Machines of course look up domain names all the time ( whether user-initiated or on the backend), and an unpatched system could be remotely hijacked by simply looking up a domain name. Suffice to say, the vulnerability is currently at the top of security researchers' lists in terms of severity and widespread impact. Here are just a few services and technologies impacted by the glibc DNS Bug:
virtually every Bitcoin implementation
secure shell (SSH), sudo, and curl utilities
all Linux servers and web frameworks like Rails, PHP and Python
Android apps running glibc
embedded Linux instances in routers and IoT devices
The glibc DNS bug—documented as CVE-2015-7574—can be remediated by applying the patch provided by the glibc team. Again, the difficulty lies not in the fix itself but applying it across vast infrastructures and disparate IT environments. Software and systems are invariably bug-prone, and subsequently—the entire digital landscape that we've grown dependent on is inherently flawed. This certainly won't be the last discovery of its kind: code errors are a fact of life and often elude discovery for years or decades. Case in point: the glibc DNS vulnerability was introduced back in 2008.
How can your organization position itself to thrive in an inherently flawed digital landscape? Better and more security solutions are only part of the answer, especially in this age where partnerships and integrations are the norm. An infrastructure is only as strong as its weakest link, and as the glibc DNS bug will serve to illustrate—organizations are at whim of hardware and software vendors who may/not be expedient in their patching efforts. The key is not improving security, per se, but enabling digital resilience: managing the dangers and rewards of transacting in today's digital economies from a risk management perspective. Vulnerabilities and data breaches may be a fact of life, but they don't have to jeopardize your firm's livelihood.
The nearly 1.3 million people that die in auto accidents yearly is analogous to this premise. No amount of fatalities will deter people from driving to work every day, as most make it through physically and financially unscathed with a proper mix of personal vigilance and automotive risk coverage. And of course, the occasional fender bender is bound to happen. Similarly, proper IT security and cyber risk insurance coverage will enable digitally resilient firms to thrive in today's cyber threat landscape.
To this end, UpGuard's platform for digital resilience will alert you if critical vulnerabilities and security flaws like the glibc DNS Bug are found lurking in your IT infrastructure, as well as provide the requisite visibility and metrics for acquiring cyber risk insurance as part of an overall digital resilience game plan. Like a credit score, our industry-accepted CSTAR provides both the data for assessing initial coverage needs as well as a barometer for cyber security improvement.