Posted on Mar 9th, 2016 by Michael Furman

On February 16th a critical vulnerability in glibc, a widely used open source library that powers thousands of standalone applications and most distributions of Linux, was published by researchers from Google. Within 24 hours Tufin had announced the impact to our subscribed customers and delivered a patch for this vulnerability.

The GNU C Library, commonly known as glibc, is a collection of open source code that is the core building block of Linux-based Software and Hardware. The potentially catastrophic flaw (CVE-2015-7547) is a buffer overflow bug in domain-name lookups performed by getaddrinfo(), that allows attackers to remotely execute malicious code. A remote attacker could create a specially crafted DNS response which could cause the vulnerable application or device to crash or, potentially, monitor and manipulate data passing between the vulnerable device and the open Internet. This stack-based buffer overflow was introduced back in 2008, and all versions of glibc after 2.9 are vulnerable.

Anyone responsible for Linux-based software or hardware that performs domain name lookups should address this vulnerability as soon as possible. We recommend to check with all your Linux or Unix-based vendors what the affected products are and to request the appropriate patch for this vulnerability. Security researchers say the vulnerability extends to an almost incomprehensibly large body of software, including virtually all distributions of Linux; the Python, PHP, and Ruby on Rails programming languages; and many other things that uses Linux code to look up the numerical IP address of an Internet domain. Most Bitcoin software is reportedly vulnerable, too.

To help Tufin customers with this urgent task, we built and published a patch for TufinOS 2.x installations on the Tufin user portal (TufinOS 1.x versions are not vulnerable to this buffer overflow flaw). If you did not receive this patch, or if you wish to receive prompt alerts on future vulnerabilities as they happen, please subscribe to our security announcements. If you still haven't deployed the patch and require assistance, please contact our support team.