February 18, 2016
Google Engineers Unearth 7-Year-Old Glibc Vulnerability
It was widely reported this week that a bug found in GNU C Library could affect hundreds of thousands of devices, applications and services. The GNU C Library, commonly called glibc, is an open-source library of code that is widely used in Internet-connected devices such as PCs, mobile devices, servers and routers. Glibc contains code that programs written in the C, C++, Python and Ruby languages use to carry out common tasks.
According to the BBC, Google engineers identified a flaw in glibc which could be exploited by hackers to allow remote access to systems. However, the article indicated that the scale of the problem is difficult to determine because it is unclear how many devices and systems make use of the glibc code. For example, Google Android devices use a different code library.
Ars Technica, on the other hand, called the bug “extremely severe,” and described it as a “potentially catastrophic flaw in one of the Internet’s core building blocks that leaves hundreds or thousands of apps and hardware devices vulnerable to attacks that can take complete control over them.” Another Ars Technica article stated “glibc is the most common code library used by Linux. It contains standard functions that programs written in the C and C++ languages use to carry out common tasks.”
In other words, debate remains about how widespread this vulnerability is. Check out the comments section of the BBC article if you don’t believe me. Zoinks!
The Google engineers that detected the bug wrote that the issue lies with the getaddrinfo() library function in versions of glibc since 2.9, which was released seven years ago. The blog post goes on to say that when the function is used, the glibc DNS client side resolver is vulnerable to a stack-based buffer overflow. Taking advantage of this vulnerability is one of the oldest and most common ways that hackers access and control systems remotely.
To resolve this problem, Google and Red Hat have jointly developed a non-weaponized proof of concept that allows you to test whether devices are vulnerable. They have also developed a patch for glibc that mitigates the bug and recommend that users of affected devices apply it ASAP.
That’s a good thing, of course. But the fact that this bug has existed for seven years illustrates the need for top-notch security and backup technology best practices. What is your business doing to ensure you have proper security, backup and business continuity in place if you’re ever affected by a bug like glibc….or worse?!