New GNU glibc Vulnerability was announced on 02/17/2016.
The vulnerability, identified as CVE-2015-7547, is similar to Heartbleed and Shellshock in terms of the scope of affected systems, but is not as serious, as it is significantly more difficult to exploit. Successful exploitation of the vulnerability relies on the potential victim communicating with a hostile/malicious DNS server or to be subject to a man-in-the-middle attack. Nevertheless, the vulnerability is considered to be critical by the industry since it can lead to remote exploitation of the client system.
The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.
According to glibc developers, the vulnerable code was initially added in May 2008, as part of the development for glibc 2.9. All versions from 2.9 (originally released November 2008) to 2.22 appear to be affected.
A patch for glibc is available. Affected users should apply the patch as soon as possible. The patch will also be included as part of the upcoming glibc 2.23 release.
If you feel that you need assistance from the Digital Edge Security team please contact Danielle Saladis at dsaladis@DIGITALEDGE.NET.
Digital Edge is committed to providing the highest levels of security within all the IT infrastructure environments under its care. In order to achieve this utmost goal for all of our clients, we continuously maintain vigilance both on the productive side of IT as well as on its destructive side. We thus send out news and security bulletins such as this one from time to time to ensure that our clients are informed and educated on any important developments in IT security and are fully aware of what we are doing to ensure that we and our clients are always at the Cutting and at the Digital Edge of technology.