On Feb 16, 2016, Security Engineers at Google and Red Hat jointly released a patch for a critical stack buffer-overflow vulnerability in versions 2.9 and later of the GNU C Library. To maximize protection of our network, and our customers’ data, Verizon Digital Media Services has applied the patch to servers throughout our global CDN network.
GNU C Library or glibc is widely used in Linux systems. This vulnerability, assigned CVE-2015-7547, was discovered in the getaddrinfo() function of the glibc DNS client-side resolver. Malicious domains or DNS servers can trigger the vulnerability by returning an oversized (2048+ bytes) UDP or TCP response to a DNS query, followed by another response to overwrite the stack. This vulnerability exposes unpatched Linux systems to application and system level crashes and Remote Code Execution attacks that could allow attackers to gain unauthorized control of servers.
To learn more about the vulnerability and the patch, please consult the GNU notification.
While we have proactively patched the servers in our network, Verizon advises all customers to consult US-CERT Vulnerability Note VU#457759 to obtain a list of impacted Operating Systems and applications and apply the glibc patch to their vulnerable systems immediately.
Ted Eckerman, Security Engineer
Vikas Phonsa, Product Manager – Security Solutions