Google and Red Hat have linked up to deliver a patch for a serious bug in the GNU C Library, or glibc, which is widely used in Linux applications, distributions and devices.
Anyone running a Linux server is likely to need to install the jointly-developed patch that fixes a critical flaw in the getaddrinfo function in glibc.
The vulnerability had until recently gone unnoticed but was actually introduced in version 2.9 of the open-source library, which was released in May 2008.
Google has detailed that the bug is a stack buffer overflow flaw in the function, which can be remotely exploited by causing a machine to run a DNS lookup and delivering a response in the form of UDP or TCP packets that exceed 2,048 bytes.
Google engineers said any software using getaddrinfo, "May be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack".
Like previous open-source bugs, this one also affects a wide range of Linux distributions, software and devices.
"Pretty much any Linux system uses glibc, and getaddrinfo is typically used to resolve IP addresses. Which means Linux servers as well as workstations, are vulnerable unless it runs an old version of glibc (pre 2.9)," noted Johannes Ullrich, CTO of the SANS Internet Storm Center.
Ullrich initially believed Android devices are probably also affected by the bug. However, security researcher Kenn White has since pointed out Google opted for the glibc alternative Bionic C software for Android.
White also said there is a possibility that CentOS, Oracle, and Amazon Linux may be vulnerable to the glibc vulnerability.
Although Google engineers discovered the flaw independently, when they began assessing it they discovered the issue had been previously reported to glibc's maintainers and that engineers at Red Hat were also investigating the issue.
The two companies collaborated on the development and testing of the patch that was released on Tuesday.
Red Hat has confirmed that affected products include multiple versions of RHEL server, workstation and desktop products.
Google has developed exploit code for the flaw but is not making that software publicly available. However, it has published a proof of concept that can be used to test if systems are vulnerable.
"When code crashes unexpectedly, it can be a sign of something much more significant than it appears; ignore crashes at your peril," Google's engineers said.
They also noted that while remote code execution is possible, it would still require bypassing exploit mitigations such as address-space layout randomization.
More on security
- Ransomware: How much would you pay to get your files back?
- Online security? Just let me Google that, say puzzled bosses
- Mandated encryption backdoors? Such a bad idea, says cybersecurity agency
- Vital OpenSSL patch coming
- New zero-day flaw hits millions of Linux servers, also affects most Android devices
- Adobe pulls Creative Cloud update that deleted Apple Mac data