SA114 : GNU C Library (glibc) Remote Code Execution February 2016
- Status: Closed
- Severity: High
- CVSS Base Score: CVSS v2: 9.3
Blue Coat products using an affected version of the GNU C Library (glibc) are susceptible to a remote execution attack. A remote attacker can send a crafted DNS response to the glibc DNS resolver and cause the resolver to crash or execute arbitrary code.
The following products are vulnerable:
|Advanced Secure Gateway (ASG)|
|All CVEs||6.6||Upgrade to 22.214.171.124.|
|Content Analysis System (CAS)|
|All CVEs||1.3||Upgrade to 126.96.36.199.|
|Malware Analysis Appliance (MAA)|
|All CVEs||4.2||Upgrade to 4.2.8.|
|Management Center (MC)|
|All CVEs||1.6 and later||Not vulnerable, fixed in 188.8.131.52|
|1.5||Upgrade to 184.108.40.206.|
|Norman Shark Industrial Control System Protection (ICSP)|
|All CVEs||5.3||Upgrade to 5.3.6.|
|Norman Shark Network Protection (NNP)|
|All CVEs||5.3||Upgrade to 5.3.6.|
|Norman Shark SCADA Protection (NSP)|
|All CVEs||5.3||Upgrade to 5.3.6.|
|PacketShaper (PS) S-Series|
|All CVEs||11.6 and later||Not vulnerable, fixed in 220.127.116.11|
|11.5||Upgrade to 18.104.22.168.|
|11.2, 11.3, 11.4||Upgrade to later release with fixes.|
|PolicyCenter (PC) S-Series|
|All CVEs||1.1||Upgrade to 22.214.171.124.|
|All CVEs||10.1||Upgrade to 10.1.4.1.|
|9.4, 9.5||Not vulnerable|
|All CVEs||7.2||Not vulnerable, fixed in 7.2.1|
|7.1||Upgrade to 7.1.11.|
|7.0||Upgrade to later release with fixes.|
|6.6||Upgrade to 6.6.12.|
|All CVEs||3.9||Upgrade to 126.96.36.199.|
|3.8.4FC||Upgrade to 3.8.4FC-55.|
|3.8||Upgrade to 3.8.6-14.|
|All CVEs||11.0||Upgrade to 11.0.2.|
|10.0||Upgrade to 10.0.6.|
Blue Coat products that use a native installation of glibc, but do not install or maintain that implementation are not vulnerable. However, the underlying platform that provides the glibc library may be vulnerable. Blue Coat urges our customers to update the versions of glibc that are natively installed for Client Connector, ProxyClient, and Reporter 9.x for Linux.
The following products are not vulnerable:
Android Mobile Agent
Blue Coat HSM Agent for the Luna SP
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter Data Collector
Mail Transfer Defense
ProxyAV ConLog and ConLogXP
Blue Coat no longer provides vulnerability information for the following products:
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.
The stack-based buffer overflow exists in the glibc client DNS resolver implementation (libresolv) when invoked from the libnss_dns module. The buffer overflow occurs in the libnss_dns send_dg() and send_vc() functions when a userspace application resolves a DNS name by calling getaddrinfo() with the AF_UNSPEC parameter. The AF_UNSPEC parameter does not tell the resolver whether to resolve the DNS name to an IPv4 or IPv6 address, so the resolver sends both type A (IPv4) and AAAA (IPv6) DNS queries in parallel. A mismanagement of the buffers allocated for the queries may cause an oversized response of a DNS query to be written beyond the bounds of the query's buffer.
A remote attacker can exploit this vulnerability by sending a crafted, oversized DNS response to the DNS resolver. The resolver will crash or execute arbitrary code with the access privileges of the application requesting the DNS name resolution. If the application runs with root privileges, the remote attacker will gain root access and have complete control of the target.
|Severity / CVSSv2||High / 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)|
|References||SecurityFocus: BID 83265 / NVD: CVE-2015-7547|
|Impact||Denial of service, code execution|
|Description||A stack-based buffer overflow in the client DNS resolver allows a remote attacker to send a crafted DNS response and cause cause an application crash or execute arbitrary code.|
Blue Coat's ProxySG appliance can be used to protect against the glibc remote code execution attack. Customers using ProxySG as a reverse proxy can protect network hosts by blocking the oversized DNS responses that trigger the stack-based buffer overflow. DNS responses over TCP should be limited to 1024 bytes and DNS responses over UDP should be limited to 512 bytes. ProxySG 6.5 and 6.6 customers can use the following CPL syntax:
<dns-proxy> dns.request.threat_risk.level=7.. dns.respond(refused) <dns-proxy> dns.client_transport=tcp dns.response.cname.length=1024.. dns.respond(refused) dns.response.ptr.length=1024.. dns.respond(refused) <dns-proxy> dns.client_transport=udp dns.response.cname.length=512.. dns.respond(refused) dns.response.ptr.length=512.. dns.respond(refused)
Google Security Team announcement and analysis - https://security.googleblog.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
2017-02-07 MC 1.8 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support. SA status moved to Final.
2016-12-04 SSLV 3.11 is not vulnerable. PacketShaper S-Series 11.7 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-10-26 MC 1.6 and 1.7 are not vulnerable.
2016-09-01 A fix for SSLV 3.8.4FC is available in 3.8.4FC-55.
2016-08-12 Security Analytics 7.2 is not vulnerable.
2016-07-16 A fix for XOS 10.0 is available in 10.0.6. A fix for XOS 11.0 is available in 11.0.2.
2016-06-30 PacketShaper S-Series 11.6 is not vulnerable.
2016-06-27 Fixes will not be provided for PacketShaper S-Series 11.2, 11.3, and 11.4. Please upgrade to a later version with the vulnerability fixes.
2016-06-23 A fix for ASG is available in 188.8.131.52.
2016-06-14 A fix for SA 7.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6.
2016-05-19 Fixes are available in Security Analytics 6.6.12 and 7.1.11.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-28 A fix for PacketShaper S-Series 11.5 is available in 184.108.40.206. A fix for PolicyCenter S-Series is available in 220.127.116.11.
2016-04-24 Mail Transfer Defense is not vulnerable.
2016-04-15 A fix will not be provided for CAS 1.2. Please upgrade to a later version with the vulnerability fixes.
2016-04-01 A fix for Reporter 10.1 is available in 10.1.4.1.
2016-03-23 XOS 9.7 is not vulnerable.
2016-03-17 A fix for SSLV 3.8 is available in 3.8.6-14.
2016-03-14 Fixes are available for CAS 1.3 in 18.104.22.168 and for MC 1.5 in 22.214.171.124.
2016-03-10 A fix for MAA 4.2 is available in 4.2.8
2016-03-04 A fix for SSLV 3.9 is available in 126.96.36.199.
2016-02-29 Added CVSS v2 score
2016-02-19 initial public release
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
This will clear the history and restart the chat.