Alert: Patch Critical 'Skeleton Key' Flaw in LinuxLinux Devices, Internet of Things at Risk, Experts Warn
Information security experts warn enterprises to patch the serious "glibc" domain name system flaw now, with one likening it to a "skeleton key" that could be used to remotely take control of any system or device that runs the software.
See Also: The State of the Software Supply Chain
The eight-year-old flaw in the open source GNU C library has been designated CVE-2015-7547, and is present on all Linux machines and in many Web frameworks, thus leaving various devices and types of Internet infrastructure vulnerable to remote code execution, the glibc project team warns.
The Linux kernel vulnerability was first reported to the glibc team in July 2015, but that group flagged the flaw as being of low priority. Both Google and Linux developer Red Hat both recently found the flaw again, however, and issued fresh warnings, leading to an updated version of glibc being issued.
"This defect allows an attacker to cause [a] buffer overflow to occur, creating the possibility of remote code execution in some circumstances," says Michael McNally, an engineer for the Internet Systems Consortium, in a blog post. ISC is a U.S. nonprofit that has developed multiple core Internet technologies.
McNally warns that fixing the glibc flaw should be an immediate priority for anyone who uses any operating system or product that includes the vulnerable C library. He's also called for "immediate patching," with the best approach being "to immediately seek a patched version of glibc which has been secured to prevent this vulnerability."
'Skeleton Key' Against Linux
To date, it's not known how easily the flaw, which first appeared in glibc in 2008, could be exploited. Potentially, however, the vulnerability provides attackers with a "skeleton key of unknown strength," warns Dan Kaminsky, who's the chief scientist for anti-malware firm White Ops, in a Feb. 20 blog post.
Kaminsky should know: In 2008, he discovered and patched a massive flaw in DNS that attackers could have used to redirect any Internet user to a malicious site. Ironically, the vulnerability in glibc appeared in the code just weeks before Kaminsky issued a patch for the separate flaw he'd discovered.
The first law of DNS's attack surface is everyone underestimates DNS's attack surface. https://t.co/nw3hsWFnGS” Dan Kaminsky (@dakami) February 20, 2016
Bug: 'Unusually Bad'
One of the most concerning aspects of the glibc flaw is that it exposes the "sudo" command, which on Linux typically allows users to run programs with super-user - a.k.a. administrator - privileges.
"The glibc DNS bug is unusually bad," Kaminsky says. "Even Shellshock and Heartbleed tended to affect things we knew were on the network and knew we had to defend. This affects a universally used library (glibc) at a universally used protocol (DNS). Generic tools that we didn't even know had network surface (sudo) are thus exposed, as is software written in programming languages designed explicitly to be safe."
Shellshock was a bug in the Bash utility, which runs on the vast majority of Unix systems, while Heartbleed exposed a flaw in OpenSSL, a cryptographic tool that provides communication security and privacy over the Internet for applications such as e-mail, instant messaging and some VPNs (see Bash Bug: Bigger Than Heartbleed). The discovery of both vulnerabilities lead to panic, as well as calls to immediately patch all affected devices. But in the case of both flaws, experts warned that many types of devices - including numerous servers in the case of Heartbleed, and routers and modems affected by Shellshock - would likely remain unpatched and thus vulnerable for years to come, and that enterprises should expect more of these types of widespread flaws to be found in the future (see Why Shellshock Battle Is Only Beginning).
Remote Attack Reliability: Unclear
In the case of the glibc flaw, Kaminsky says that if attackers can gain local access to a network, they can exploit the vulnerability. But remote attacks would require that attackers use "cache traversing attacks" that force victims into running DNS lookups - against public DNS servers - that lead to related attack code, and it's not clear that such exploits would work reliably. "We've found that it is neither trivial to squeeze the glibc flaw through common name servers, nor is it trivial to prove such a feat is impossible," he says. "The vast majority of potentially affected systems require this attack path to function, and we just don't know yet if it can. Our belief is that we're likely to end up with attacks that work sometimes."
The team at Google that rediscovered the flaw has issued a similar assessment. "Remote code execution is possible, but not straightforward," the Google software engineers say in a blog post. "It requires bypassing the security mitigations present on the system, such as ASLR," which refers to address space layout randomization, which is designed to help block buffer-overflow attacks, which attackers can sometimes use to seize control of devices.
The Google researchers have released "non-weaponized" proof-of-concept exploit code that can be used to test for the presence of the flaw, as well as if related fixes work as intended.
Advice: Patch Now, Beware Countermeasures
Both Kaminsky and ISC's McNally have warned that flaw countermeasures recommended in the CVE-2015-7547 announcement - such as limiting the size of UDP or TCP responses - may interfere with legitimate DNS operations, and should only be used with caution, if at all. Instead, both recommend patching all affected devices, and without delay.
"Patch this bug," Kaminsky says. "You'll have to reboot your servers. It will be somewhat disruptive. Patch this bug now, before the cache traversing attacks are discovered, because even the on-path attacks are concerning enough."
But the glibc library is also used in software that runs on many different types of Internet-connected devices. "Think routers and increasingly anything considered part of the Internet of Things," University of Surrey computer science professor Alan Woodward tells the BBC.
The problem with so many Internet of Things devices, of course, is that manufacturers often either don't issue related updates, or users aren't alerted when they need to install a critical security fix. Whether these devices will ever see a glibc patch - to protect against related buffer-overflow attacks - remains to be seen (see The Internet of Buggy Things).