A vulnerability has been detected in libc getaddrinfo(), which can result in a buffer overflow allowing remote code execution. UBC IT is focusing efforts on securing UBC internal DNS servers against the vulnerability.
This issue has been assigned CVE-2015-7547. We expect more information to be added to the common vulnerability pages shortly.
Recommended Action for Linux Machines
We recommend that everyone at UBC use the following DNS severs, which we have confirmed with our vendor to be not susceptible to the cache traversal attack:
- 220.127.116.11, 18.104.22.168 (Vancouver Campus)
- 22.214.171.124, 126.96.36.199 (Okanagan Campus)
We strongly recommend that servers that are not using campus DNS servers be patched as soon as possible. Systems using campus DNS servers should be patched in their next monthly patch cycle.
If you are running a version of Linux that both has a vulnerable libc and is no longer supported by the vendor, due to end-of-life, please ensure that you are using the campus DNS servers for address resolution. An additional mitigation would be to run a local caching resolver, such as unbound, and configured to use the campus DNS servers.
Please do not follow the mitigations that the libc maintainers suggested regarding limiting the size of DNS response using firewall configuration or otherwise, as this will likely have a negative impact on DNS resolution.
The UBC IT Satellite server is up-to-date with the current patch available in the standard channel.
Currently known package updates include, but are not limited to:
- RedHat: https://access.redhat.com/articles/2161461
- Debian: https://security-tracker.debian.org/tracker/CVE-2015-7547
- SUSE: https://www.suse.com/security/cve/CVE-2015-7547.html
- Ubuntu: http://www.ubuntu.com/usn/usn-2900-1/