Akamai Diversity
Home > Web Security > Akamai and the Glibc Vulnerability (CVE-2015-7547)

Akamai and the Glibc Vulnerability (CVE-2015-7547)

Akamai continues to investigate the Glibc vulnerability outlined in CVE-2015-7547 to see how its technology may be affected.

As part of the DNS query process, Glibc is used by many systems across the Internet -- and at Akamai -- and all versions of Glibc's getaddrinfo () library functions since version 2.9 are potentially vulnerable to a range of attacks based on a stack buffer overflow.

Some defenses are available, such as UDP-based DNS, a patch released by the researchers who disclosed this vulnerability.

Akamai uses Glibc in several of its systems. Our critical end user-facing content delivery components are NOT exposed to this vulnerability. Other production-environment systems, such as our NetStorage product, are already coordinating patch releases. We are also investigating our internal systems carefully, with the expectation that a combination of patches, upgrades, and substitute stub resolvers will be selected and installed for each system's safety.

Background

Researchers from Google and Red Hat discovered the vulnerability, and a patch has been issued.

"Our initial investigations showed that the issue affected all the versions of glibc since 2.9 ... If the vulnerability is detected, machine owners may wish to take steps to mitigate the risk of an attack," Google researchers said in its advisory.

Specifically, the researchers discovered, during review of the already-disclosed bug 18665 for glibc, that it could lead to a stack-based buffer overflow. In the advisory, Carlos O'Donell of Red Hat wrote that the buffer overflow occurs in the function send_dg (UDP) and send_vc (TCP) for the NSS module libnss_dns.so.2 when calling getaddrinfo with AF_UNSPEC family and in some cases also with AF_INET6 before the fix in commit 8479f23a (only use gethostbyname4_r if PF_UNSPEC).

Because of this buffer mismanagement, large files that could include payloads or RCE exploits, might be accepted by the requestor, O'Donell wrote.

Media Attention

Since the details were released, the vulnerability has gotten significant media attention. Dan Kaminsky, researcher, co-founder and chief scientist at White Ops, told Threatpost in an interview that the issue is "pretty bad" and that "the code path is widely exposed and available, and it yields remote code execution."

The vulnerability has also been covered in articles from Dark Reading and the Hackers Online Club blog.

The various news articles and blog posts also note that Web frameworks such as Python, PHP, Rails and all Linux servers are affected, and that Glibc is also at the heart of the Ghost issue from last year.

Mitigation

Akamai is quickly patching its internal systems. Most of the company's external systems use a local bind, so the attacker would need to be between the glibc stub and the bind on the loopback interface. Those that don't are being more urgently patched.

If you have any questions or concerns regarding this vulnerability and your Akamai services, please use our Community post dedicated to the subject, or contact your Akamai Representative or Customer Care.

If our investigation uncovers additional risks, we will provide follow-up blog posts, Akamai Community posts, and Luna Portal advisories to update customers on how we are affected and what we're doing about it.

Leave a comment