‘Catastrophic’ Glibc Flaw Threatens Linux And IoT Devices

Security researchers at Google and Red Hat have both discovered a serious vulnerability with glibc.

Glibc is an open source library of code that is widely used in internet-connected devices, and the discovery comes after another flaw was discovered last month by Qualys.

Glibc Flaw

The Glibc flaw is potentially very serious, as it could allow for remote code execution, blogged Google researchers.

The flaw could compromise apps, devices and other Internet-connected services.

Google said that while the flaw was hard to exploit, its engineers had done it (although they did not reveal how). It seems the flaw has to do with domain look-up in Glibc, which could allow a hacker to implant code in a device’s memory. They could then crash the device or gain access to corporate networks remotely for example.

“Our initial investigations showed that the issue affected all the versions of glibc since 2.9,” said Google. “You should definitely update if you are on an older version though.”

A patch is available here.

“The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used,” said Google. “Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.”

“Many people are running around right now trying to work out if this is truly catastrophic or whether we have dodged a bullet,” said Prof Alan Woodward, a security expect from the University of Surrey told the BBC.

He said that the routers and anything considered part of the ‘Internet of Things‘ could be affected.

Patch Now

Another security expert meanwhile has warned that rapid action is required, and system administrators need to rollout the patches immediately.

“Organisations will need to move fast on this one – since it looks as though a large number of connected devices are at risk,” said Ross Brewer, VP and MD of international markets at security specialists LogRhythm.

“While the flaw may not yet have been exploited, it’s only a matter of time, now that this has been brought to everyone’s attention,” said Brewer. “Unless the new patch is installed quickly, hackers are going to have a field day accessing confidential information via computers, mobile phones or internet routers.

And Brewer pointed out that this flaw has been around for a number of years now.

“What’s worrying is that the bug has been around since 2008 and was identified last year, but overlooked as a low priority,” said Brewer. “In all honestly, it’s baffling that nothing was done about it sooner.”

“Hot on the heels of the Logjam and Shellshock bugs, businesses must use this as another wake-up call to make sure they have more than just the basic lines of defence in place,” he said. “Mobile and internet-connected devices are now an essential part of business life, but there’s no doubt that they have opened up new ways for hackers to get their hands on company data.”

Last month Qualys discovered a critical vulnerability in the Linux OS. That flaw could allow attackers to remotely take control of an entire system without having any prior knowledge of system credentials.

The vulnerability was in the Linux GNU C Library (glibc) and is known as GHOST (CVE-2015-0235), because it can be triggered by the gethostbyname functions. It impacts many systems built on Linux starting with glibc-2.2 released on November 10, 2000.

How much do you know about Linux? Take our quiz!