A Google engineer has accidentally discovered a critical glibc security vulnerability that has existed since 2008. After committing several hours to hacking the vulnerability, Google engineers managed to come up with a fully working exploit that could be used to remotely control Linux devices. The glibc security vulnerability has been compared to the Shellshock security vulnerability uncovered in 2014 due to sheer number of hardware devices and apps that could potentially be affected.
The security vulnerability came as a surprise to Google engineers who were investigating an error in an SSH application which caused a segmentation fault when trying to access a specific web address. It was only after a detailed investigation that they discovered the fault lay with glibc.
Maintainers of glibc were contacted and alerted to the security vulnerability, but as it turns out they were already aware of the issue. It had been reported in July 2015 but had not been rated as a priority. That said, when Google contacted Red Hat, they confirmed they too had discovered the flaw and were working on a patch.
Linux Devices at Risk from Critical Glibc Security Vulnerability
While Windows, OS X, and Android devices are unaffected by the glibc security vulnerability, hundreds of thousands of hardware devices could potentially be affected. The security flaw affects most distributions of Linux and thousands of applications that use GNU C Library source code. All versions of glibc above 2.9 are affected.
The code is used for Linux distributions used for a wide range of hardware, including routers. The vulnerability is a buffer overflow bug in a function that performs domain lookups: getaddrinfo()
If hackers managed to replicate Google’s exploit they would be able take advantage of the vulnerability and remotely execute malicious code. The security vulnerability could be exploited when unpatched devices make queries to domain names or domain name servers controlled by attackers.
Google engineers have been working with Red Hat to develop a patch to address the vulnerability, and by combining knowledge of the vulnerability they have been able to develop a fix for the flaw, and a patch has now been released. It is essential that the patch is applied as soon as possible to ensure that the vulnerability cannot be exploited.
Updating to the latest version of glibc may be a fairly straightforward process. Linux servers can be patched by downloading the update, although things may not be quite so straightforward for some applications, which will need to be recompiled with the new library code. This could potentially result in a number of devices remaining vulnerable for some time.
Now that the vulnerability has been announced, hackers will be attempting to develop an exploit. Google has published a proof of concept, although obviously not full details of its weaponized exploit. The exploit is apparently not straightforward, which should buy Linux administrators a little time and allow them to check systems and ensure that affected hardware devices are patched.