[dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow

Mike Hoskins (michoski) michoski at cisco.com
Tue Feb 23 19:32:50 UTC 2016

Thanks, Brian.  Was getting ready to reach out to internal contacts to respond more authoritatively.  That's what I inadequately expressed as the "unknown unknown" -- while trying to get customers info quickly (actually, not just trying, customers demand it -- understandably) the rules of the game were changing.  Glad to see you on-list.

From: "Brian Hartvigsen (bhartvig)" <bhartvig at cisco.com<mailto:bhartvig at cisco.com>>
Date: Tuesday, February 23, 2016 at 2:27 PM
To: Damian Menscher <damian at google.com<mailto:damian at google.com>>
Cc: michoski <michoski at cisco.com<mailto:michoski at cisco.com>>, "dns-operations at dns-oarc.net<mailto:dns-operations at dns-oarc.net>" <dns-operations at dns-oarc.net<mailto:dns-operations at dns-oarc.net>>
Subject: Re: [dns-operations] CVE-2015-7547: glibc getaddrinfo buffer overflow

I actually wrote the blog post and tried to be very specific in what I wrote.  The claim was that we could protect from the malformed DNS packets put forward in the PoC code.  Which is accurate and the best information we had to go on at the time.  Further updates have come out now that say the vulnerability is exploitable with properly constructed DNS packets.  That's a whole different ball game (as discussed in this thread and many others like it.)

I'll see what can be done to put a disclaimer on that article that new information means that we may not offer the protection once thought.  (For me this is also an issue with the disclosure, we want to protect people from being exploited obviously, but the initial posting didn't give a ton of information on what an actual attack could/would look like.  A couple people at OpenDNS reached out to contacts at RedHat and were unable to get any additional information aside from what was in the Google article.)


- Brian

On Feb 23, 2016, at 11:20 AM, Damian Menscher <damian at google.com<mailto:damian at google.com>> wrote:

On Tue, Feb 23, 2016 at 10:01 AM, Mike Hoskins (michoski) <michoski at cisco.com<mailto:michoski at cisco.com>> wrote:
Just in case anyone's wondering, OpenDNS isn't affected.


They're not directly vulnerable, but their claim that they protect their users is a bit over-stated -- all RFC-compliant DNS servers provide the same protections (not forwarding packets that don't follow the DNS spec).  The problem is that there *might* be a way to exploit this via RFC-compliant DNS packets (I'm personally not convinced, but nobody wants to claim it's impossible).  And that would get past their defenses (and everyone else's).

Additionally, anyone using a remote resolver is vulnerable to a MitM injecting a malicious response, so everyone should upgrade.  Claims that OpenDNS users "aren't affected" are misleading and dangerous.

dns-operations mailing list
dns-operations at lists.dns-oarc.net<mailto:dns-operations at lists.dns-oarc.net>
dns-jobs mailing list

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20160223/9895413e/attachment.html>

More information about the dns-operations mailing list