DNS lookup vulnerability (CVE-2015-0235) in glibc (XF is a vector when on Linux)

Xon said:
XenForo explicitly does DNS lookups of IPs at registration time
Click to expand...
I haven't delved into the underlying code (in Linux), but the only explicit gethostbyname() calls in XF are DNS black lists and one in Zend Framework's email validation. We are mostly resolvings IPs back to hosts which is done via gethostbyaddr and PHP's dns_get_record. It may be a vector but I'm not sure. (If the issue is in the underlying parsing of DNS records then it would be, though I'm surprised they seem to have attributed this to gethostbyname specifically.)

Fixing this fully likely requires a server reboot as well.
 
Last edited:
Mike said:
I haven't delved into the underlying code (in Linux), but the only explicit gethostbyname() calls in XF are DNS black lists and one in Zend Framework's email validation. We are mostly resolvings IPs back to hosts which is done via gethostbyaddr and PHP's dns_get_record. It may be a vector but I'm not sure. (If the issue is in the underlying parsing of DNS records then it would be, though I'm surprised they seem to have attributed this to gethostbyname specifically.)

Fixing this fully likely requires a server reboot as well.
Click to expand...
The real issue is all the other services which use the legacy gethostbyname call.

I haven't seen anything which says dns_get_record vulnerability, but you'ld need to check the php source to see if it goes anywhere near it. Easier to just patch and move on.

MattW said:
Same with CentOS, you just need to restart the services using on glibc
Click to expand...
While technically true, it is faster to just reboot the server for modern VMs.
 
The actual bug was fixed in glibc in May, 2013. However many distros still push the affected versions but some distros are already on a version that has the bug fixed and therefore not vulnerable. (ie glibc 2.18 onwards are good)
 
I inspected it with a local build on a vm and well, it was pretty damn handy with nice clean output with my green on black shell.

Good read, Imahafta drop that in the ole pastebin (the one in my c: drive at home of course).
 
eva2000 said:
Yeah much easier with one liner in SSH to restart only services which rely on libc - I've updated all of my 35+ servers so far - only needed to type the commands once to update them all :)
Click to expand...
I did it manually on one and tested this on the other, and in comparison one stood still and one was moving.
 
If you are happy you know which services need to be restarted, the a reboot isn't required. But........it's probably quicker to reload for a lot of people.

We aren't reloading out boxes at work, as a lot of them will need a manual FSCK performing due to their uptime, and will require remote hands and eyes.
 
  • Like
Reactions: Xon
You must log in or register to reply here.

Similar threads

PaulB
PSA: ImageMagick information disclosure vulnerability CVE-2022-44268
Replies
13
Views
2K
Chris D
Chris D
Back
Top Bottom