Massive web vulnerability puts devices at risk

A catastrophic flaw in one of the Internet's core building blocks may bring a huge amount of apps and hardware devices vulnerable to attacks, according to researchers.

A function performing domain-name lookups called getaddrinfo(), contains a buffer overflow bug that allows attackers to remotely execute malicious code. It can be exploited when vulnerable devices or apps make queries to attacker-controlled domain names or domain name servers or when they're exposed to man-in-the-middle attacks where the adversary has the ability to monitor and manipulate data passing between a vulnerable device and the open Internet.

The vulnerability is introduced to a collection of open source code that powers standalone applications and most distributions of Linux, called GNU C Library, where all versions after 2.9 are vulnerable.

Kenn White, a security researcher based in Washington, DC, said that the vulnerability is “a big deal” because the exploited function is “a core bedrock function across Linux.”

To contradict the vulnerability, maintainers of glibc released an update that is recommended for anyone responsible for Linux-based software or hardware that performs domain name lookups.

But while patching means to simply download and install the update, this does not work for everyone and some apps that were compiled with a vulnerable version of glibc will have to be recompiled with an updated version of the library.

Meanwhile, Google's Android mobile operating system uses a glibc substitute known as Bionic, which makes it one Linux-based package that's not vulnerable. However, researchers from Google found a vulnerability due to a buffer overflow inside glibc that made malicious code-execution attacks possible.

Red Hat Linux distribution had also independently discovered the bug and was working on a fix, Google researchers found.

Ross Brewer, VP and MD of international markets at LogRhythm commented: “Organisations will need to move fast on this one – since it looks as though a large number of connected devices are at risk. While the flaw may not yet have been exploited, it’s only a matter of time, now that this has been brought to everyone’s attention. Unless the new patch is installed quickly, hackers are going to have a field day accessing confidential information via computers, mobile phones or internet routers.”

“Hot on the heels of the Logjam and Shellshock bugs, businesses must use this as another wake-up call to make sure they have more than just the basic lines of defence in place. Mobile and internet-connected devices are now an essential part of business life, but there’s no doubt that they have opened up new ways for hackers to get their hands on company data.”

“It’s paramount that businesses have visibility into their network so that they can identify an exploited vulnerability as soon as it happens. If a flaw like this can lie dormant for eight years without being fixed, then there will likely be others – some even more serious than this one.

"Cyber-attacks can no longer be stopped; instead all we can do is minimise the damage, and with web flaws being unearthed on a regular basis, no-one can afford to be resting on their laurels.”

Image Credit: Sergey Nivens / Shutterstock