Tripwire on Google Flaw that could Grant Remote Access to Devices

Google has reported that a flaw in some commonly-used code could be manipulated to grant remote access to devices such as a computer, internet router or a piece of equipment connected to the Internet. The flaw – CVE-2015-7547 is found in glibc – an open-source library of code widely used in Internet-connected devices. The flaw can affect programming languages like PHP and Python as systems used when logging into websites or accessing email.

Craig Young, a cybersecurity researcher from Tripwire told @DFMag: “This is quite an interesting bug, but my expectation is that we will not see widespread exploitation for code execution due to several factors.  While many have espoused ASLR as making this vulnerability difficult to exploit, I actually take a different stance.”

ASLR or Address Space Layout Randomization is a security feature designed to prevent attackers from knowing in advance where critical blocks of code exist in the memory of a targeted system.  The fact of the matter though is that very few Linux systems have system wide ASLR enforcement and with a bug affecting such a widely used function; it is inevitable that many vulnerable products will not gain the ASLR protections.  The bigger barrier to execution as I see it is that in most cases the attacker needs to get parallel name resolution (IPv4/IPv6) to an attacker controlled name server either directly or through a recursive lookup.”

Craig explains, “The more common attack scenario of course would be a recursive lookup since hopefully most attackers do not have control over popular DNS servers.  The problem with this scenario however, is that payloads needed for exploiting this for code execution are probably not going to be well-formed responses and will likely get dropped en route.  That being said, it is important that users and service operators deploy patches as soon as possible. If we do see cases of in the wild exploitation from this, I would expect that web sites or services which query user-controlled domain names might be top on the list of ideal targets.”