[Triumf-linux-users] [Triumf-linux-managers] Critical update for glibc
Andrew Daviel
advax at triumf.ca
Wed Feb 17 19:26:03 PST 2016
On Wed, 17 Feb 2016, Dima Vavilov wrote:
> Hi Andrew,
>
> Thank you for warning! Is reboot or restart of particular services
> needed after the update ?
It seems to me that network clients are vulnerable to an attack via a
crafted email or web page, so restart Firefox, Thunderbird etc.
An attacker would need to get control of forward DNS for a domain (any
domain - not hard, as they can buy a domain for $10 or something).
It is possible that servers may be vulnerable, if an attacker can get
control of reverse DNS, perhaps at a service like Rackspace or AWS. This
may require more effort or money; they'd need to delegate a netblock to
their own DNS server. Then they could attack servers by sending
connection requests and rely on the server doing reverse DNS (which many
do, for logging, domain-based access control etc.)
In my opinion, restarting public-facing services that might include
getaddrinfo(3) would be a good idea. I believe for instance that
getaddrinfo is called by apr_sockaddr_info_get() in Apache APR (i.e. in
httpd). sendmail 8.13 seems to use the older getipnodebyaddr(); it's
likely a newer version may use getaddrinfo(). openssh 5.3 uses
getaddrinfo(). Etc.
So:
# service httpd restart
# service sendmail restart (for postfix)
# service sshd restart
etc., (or systemd equivalent)
# lsof|grep LISTEN|grep 'TCP \*'
will show listening servers (but not whether they are actually using
getaddrinfo, or listening on a public address) as a hint for what services to
restart. A reboot would of course get everything.
Finding affected code:
$ grep getaddrinfo `which sshd`
Binary file /usr/sbin/sshd matches
(also seen in source code)
More tricky; httpd itself calls apr_getnameinfo
$ ldd `which httpd`|grep apr
libapr-1.so.0 => /usr/lib64/libapr-1.so.0 (0x00002b6ea870a000)
$ grep getaddrinfo /usr/lib64/libapr-1.so.0
Binary file /usr/lib64/libapr-1.so.0 matches
$ grep getaddrinfo `which postfix`
Binary file /usr/sbin/postfix matches
--
Andrew Daviel, TRIUMF, Canada
Tel. +1 (604) 222-7376 (Pacific Time)
Network Security Manager
More information about the Triumf-linux-users
mailing list