• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

DNS lookup vulnerability (CVE-2015-0235) in glibc (XF is a vector when on Linux)

Xon

Well-known member
#1

Mike

XenForo developer
Staff member
#5
XenForo explicitly does DNS lookups of IPs at registration time
I haven't delved into the underlying code (in Linux), but the only explicit gethostbyname() calls in XF are DNS black lists and one in Zend Framework's email validation. We are mostly resolvings IPs back to hosts which is done via gethostbyaddr and PHP's dns_get_record. It may be a vector but I'm not sure. (If the issue is in the underlying parsing of DNS records then it would be, though I'm surprised they seem to have attributed this to gethostbyname specifically.)

Fixing this fully likely requires a server reboot as well.
 
Last edited:

Xon

Well-known member
#10
I haven't delved into the underlying code (in Linux), but the only explicit gethostbyname() calls in XF are DNS black lists and one in Zend Framework's email validation. We are mostly resolvings IPs back to hosts which is done via gethostbyaddr and PHP's dns_get_record. It may be a vector but I'm not sure. (If the issue is in the underlying parsing of DNS records then it would be, though I'm surprised they seem to have attributed this to gethostbyname specifically.)

Fixing this fully likely requires a server reboot as well.
The real issue is all the other services which use the legacy gethostbyname call.

I haven't seen anything which says dns_get_record vulnerability, but you'ld need to check the php source to see if it goes anywhere near it. Easier to just patch and move on.

Same with CentOS, you just need to restart the services using on glibc
While technically true, it is faster to just reboot the server for modern VMs.
 

Deebs

Well-known member
#11
The actual bug was fixed in glibc in May, 2013. However many distros still push the affected versions but some distros are already on a version that has the bug fixed and therefore not vulnerable. (ie glibc 2.18 onwards are good)
 

EQnoble

Well-known member
#14
I inspected it with a local build on a vm and well, it was pretty damn handy with nice clean output with my green on black shell.

Good read, Imahafta drop that in the ole pastebin (the one in my c: drive at home of course).
 

EQnoble

Well-known member
#16
Yeah much easier with one liner in SSH to restart only services which rely on libc - I've updated all of my 35+ servers so far - only needed to type the commands once to update them all :)
I did it manually on one and tested this on the other, and in comparison one stood still and one was moving.
 

MattW

Well-known member
#19
If you are happy you know which services need to be restarted, the a reboot isn't required. But........it's probably quicker to reload for a lot of people.

We aren't reloading out boxes at work, as a lot of them will need a manual FSCK performing due to their uptime, and will require remote hands and eyes.