DNS lookup vulnerability (CVE-2015-0235) in glibc (XF is a vector when on Linux)

[Xon]

Info: http://ma.ttias.be/critical-glibc-update-cve-2015-0235-gethostbyname-calls/
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0235

This issue affects anyone doing DNS lookups, including reverse DNS lookups.

XenForo explicitly does DNS lookups of IPs at registration time, and as such is a vector for this being exploited.

But you really want to patch this ASAP, as the number of things which do reverse DNS lookup on a Linux is crazy long.

 

[m1ne]

Got the glibc update earlier.

 

[Xon]

Got the glibc update earlier.

Depending on your distro, the update only dropped a ~3-5 hours ago.

 

[m1ne]

glibc-2.12-1.149.el6_6.5 was what I updated to. Assuming it's safe according to this.

 

[Mike]

XenForo explicitly does DNS lookups of IPs at registration time

I haven't delved into the underlying code (in Linux), but the only explicit gethostbyname() calls in XF are DNS black lists and one in Zend Framework's email validation. We are mostly resolvings IPs back to hosts which is done via gethostbyaddr and PHP's dns_get_record. It may be a vector but I'm not sure. (If the issue is in the underlying parsing of DNS records then it would be, though I'm surprised they seem to have attributed this to gethostbyname specifically.)

Fixing this fully likely requires a server reboot as well.

 

[teletubbi]

Fixing this fully likely requires a server reboot as well.

Nope.
Can be done at running system. (Debian 7)

 

[MattW]

Fixing this fully likely requires a server reboot as well.

Same with CentOS, you just need to restart the services using on glibc

 

[EQnoble]

Same with CentOS, you just need to restart the services using on glibc

Isn't that only on CentOS 7 though?

 

[MattW]

Isn't that only on CentOS 7 though?

No, all of them.

 

[Xon]

I haven't delved into the underlying code (in Linux), but the only explicit gethostbyname() calls in XF are DNS black lists and one in Zend Framework's email validation. We are mostly resolvings IPs back to hosts which is done via gethostbyaddr and PHP's dns_get_record. It may be a vector but I'm not sure. (If the issue is in the underlying parsing of DNS records then it would be, though I'm surprised they seem to have attributed this to gethostbyname specifically.)

Fixing this fully likely requires a server reboot as well.

The real issue is all the other services which use the legacy gethostbyname call.

I haven't seen anything which says dns_get_record vulnerability, but you'ld need to check the php source to see if it goes anywhere near it. Easier to just patch and move on.

Same with CentOS, you just need to restart the services using on glibc

While technically true, it is faster to just reboot the server for modern VMs.

 

[Deebs]

The actual bug was fixed in glibc in May, 2013. However many distros still push the affected versions but some distros are already on a version that has the bug fixed and therefore not vulnerable. (ie glibc 2.18 onwards are good)

 

[EQnoble]

No, all of them.

Ahh ok I just checked this out and it seems it's up as well.
http://lists.centos.org/pipermail/centos-announce/2015-January/020907.html

 

[MattW]

@eva2000 has also posted a nice one line restart command for any process using glibc

https://community.centminmod.com/th...overflow-ghost-vulnerability.2209/#post-10421

 

[EQnoble]

I inspected it with a local build on a vm and well, it was pretty damn handy with nice clean output with my green on black shell.

Good read, Imahafta drop that in the ole pastebin (the one in my c: drive at home of course).

 

[eva2000]

@eva2000 has also posted a nice one line restart command for any process using glibc

https://community.centminmod.com/th...overflow-ghost-vulnerability.2209/#post-10421

Yeah much easier with one liner in SSH to restart only services which rely on libc - I've updated all of my 35+ servers so far - only needed to type the commands once to update them all

 

[EQnoble]

Yeah much easier with one liner in SSH to restart only services which rely on libc - I've updated all of my 35+ servers so far - only needed to type the commands once to update them all

I did it manually on one and tested this on the other, and in comparison one stood still and one was moving.

 

[MattW]

http://cloudlinux.com/blog/clnews/614.php

 

[Paul B]

What I got from that was, reboot the server anyway, just to be sure

 

[MattW]

If you are happy you know which services need to be restarted, the a reboot isn't required. But........it's probably quicker to reload for a lot of people.

We aren't reloading out boxes at work, as a lot of them will need a manual FSCK performing due to their uptime, and will require remote hands and eyes.