News

Google and Red Hat patch critical Linux leak in glibc library

By admin
Spread the love

Google and Red Hat have patched a critical vulnerability in the widely used GNU C Library, or glibc. As of version 2.9, the vulnerability enabled an attack where a stack-based buffer overflow could allow arbitrary code to be run on vulnerable devices.

Google says in a blog post that one of its employees found the bug, known as cve-2015-7547, when he tried to establish an ssh connection to a particular host. After repeatedly crashing his ssh client, he encountered a bug in the glibc library. To Google’s surprise, this bug had been known to glibc administrators since July 2015 and two Red Hat employees were working on a patch at the same time as Google.

The bug is present in glibc’s client side dns resolver, which is responsible for translating a domain name to an ip address. When the library function ‘getaddrinfo’ is used, an attacker with a particular domain name or dns server can send a udp or tcp response of more than 2048 bytes, exceeding the memory reserved for it. This ultimately allows arbitrary code to be executed on vulnerable devices. According to Google, this is not easy, because techniques such as ASLR can protect against this.

It is not yet clear how many applications use glibc, Google only mentions ssh, sudo and curl. Operating systems such as Windows and OS X were not affected by the vulnerability. Android is also not vulnerable, as it uses the alternative ‘Bionic’ library. Since the vulnerability is present in devices running glibc 2.9 or later, it is likely that the bug will affect a large number of devices, including Linux computers and routers.

Ars Technica notes that the bug is problematic, because the vulnerable library is often present on network devices that do not receive regular updates and also do not use protection techniques such as ASLR. However, a full list of vulnerable devices has yet to be drawn up.

Version 2.9 of glibc was released in 2008. A patch is now available and users are therefore advised to perform the necessary updates.

You might also like
News

Rumor: Apple is working on its own applications based on a large language model

News

Blizzard will release certain games via Steam, starting with Overwatch 2

News

EU Council determines position on security requirements for digital products

News

Samsung develops first GDDR7 chips, mentions bandwidths of up to 32Gbit/s per pin

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

Nvidia releases GeForce RTX 4060 Ti variant with 16GB memory