The glibc vulnerability was discovered this week and is capable of causing substantial outages. It’s caused by a stack-based buffer overflow in the way the libresolv library performs dual A/AAAA DNS queries. This makes it possible for a remote attacker to create a specifically rafted DNS response, causing libresolv to crash or execute code without the permission of the user running the library.
There is currently no known remote exploit in the wild, but that can be expected to change fairly soon. Most Linux distributions already have a software update ready to be applied to remove the vulnerability, which should be utilized as soon as possible.
If the update can’t be applied immediately, there are options for mitigation until the update can be made. Mitigating factors for UDP include:
- A firewall that drops UDP DNS packets > 512 bytes
- A local resolver (that drops non-compliant responses)
- Avoid dual A and AAAA queries (avoids buffer management error) — for example, do not use AF_UNSPEC
- No use of `options edns0` in /etc/resolv.conf since EDNS0 allows responses larger than 512 bytes and can lead to valid DNS responses that overflow
- No use of `RES_USE_EDNS0` or `RES_USE_DNSSEC` since they can both lead to valid large EDNS0-based DNS responses that can overflow.
Mitigating factors for TCP include:
- Limit all replies to 1024 bytes.
The majority of NYI’s infrastructure and managed services run on FreeBSD, which isn’t subject to the glibc vulnerability. Our team is already taking care of any updates required for clients with Linux servers managed by NYI and will open up a ticket with the client directly if any downtime is required.
Clients that require assistance determining if they are vulnerable or with handling vulnerable equipment are asked to open up a ticket through https://my.nyi.net.
