"Big Bad Wolf Bug" a.k.a. CVE-2015-7547

If you haven't heard about CVE-2015-7547, that's probably because you were away from your computer (or any Internet-connected device) for a while. Or you might have heard about it under some headlines like "The bug that affects millions of devices". Is it really that bad? Well, it's pretty bad. If you want some technical details, then "A Skeleton Key of Unknown Strength" article by Dan Kaminsky is a perfect read. A bit shorter and less technical post you may find on the Ars Technica UK site.

To put it simply, it is possible to remotely exploit a system running Linux that does name-resolution (practically every connected system) by a specifically crafted DNS response from some malicious DNS-server. Android devices are not vulnerable by the way, since they are not using the library that makes it possible (glibc). It has been proven to work and apparently the response could also traverse several caches and reach the vulnerable system even if that one uses such services as Google public DNS or OpenDNS to resolve names.

For most systems the patch is already available, so update now and DON'T FORGET TO REBOOT!

  • To update Debian/Ubuntu, run "apt-get update && apt-get dist-upgrade"
  • To update CentOS/RHEL, use "yum update"
  • To update Fedora, run "dnf update"
  • To update SUSE, run "zypper up"
  • To update Arch, run "pacman -Su"

Please note that the above commands will update all outdated packages. If you want to update only glibc, then use "libc6" in the update commands for Debian/Ubuntu or "glibc" for other Linux distributions.

If you cannot reboot your server immediately after patching, then at least restart the services which might be running and still using the vulnerable library. To find such services, you can use the following command:

lsof +c0 -d DEL | awk 'NR==1 || /libc-/ {print $2,$1,$4,$NF}' | column -t

A bit simpler command if you're a bit afraid of the construct above, could be:

lsof | grep libc- | grep DEL

Those should show you the processes holding onto already deleted (after the update process has finished) library. Don't forget that you need to be root or use "sudo" to get the proper output from those commands. And of course "lsof" should be installed on your system.

If for some reason you cannot yet patch your system, then you could temporarily create a rule to drop oversized DNS responses and limit them to 512 bytes for UDP and 1024 for TCP. For example with something like this:

iptables -I INPUT -p udp --sport 53 -m length --length 513:65535 -j DROP

iptables -I INPUT -p tcp --sport 53 -m length --length 1025:65535 -j DROP

If you are running a DNS server, you might want to add similar rules with "--dport" instead of "--sport".

NB: Google Security Team has posted a proof of concept code on Github for this vulnerability, so you could test it on your server before and after patching your system.

© Do-Know.com