As Ars Technica reports, the bug in the GNU C Library was introduced in 2008. It could have been exploited by hackers for seven years before being discovered by several parties recently.
GNU C Library, known colloquially as glibc, is a library of code that is used by Linux for interaction with the C programming language. Because of its status as a base dependency for the operating system, it is present in nearly all Linux distributions.
A buffer overflow bug in one of its core functions, getaddrinfo(), allows attackers to remotely execute their own code and gain root access to the device. The function is used to perform domain-name lookups to ascertain the identity of web servers. An attacker could set up their own server to hijack the device when it performed a lookup on the server’s address.
The vulnerability was publicly disclosed this Tuesday by Google. It found the bug by chance while working on its own software. An engineer noticed that their SSH client – a program used to connect remotely to other computers – experienced a fatal crash every time they tried to connect to one specific computer. Google began investigating and realised the problem lay much deeper than with the SSH program.
“Have you ever been deep in the mines of debugging and suddenly realized you were staring at something far more interesting than you expected? You are not alone!”, said Google in a blog post.
“Recently a Google engineer noticed that their SSH client segfaulted every time they tried to connect to a specific host. That engineer filed a ticket to investigate the behavior and after an intense investigation we discovered the issue lay in glibc and not in SSH as we were expecting.”
It eventually traced the bug to the glibc library and reported it to the code’s maintainers. The team was already aware of it though as a report had been filed in July 2015. By chance, Google found that two members of the Red Hat operating system team – Florian Weimer and Carlos O’Donell – were already working on a bug fix, doing so quietly to avoid widespread coverage of the major problem.
Google said: “Thanks to this engineer’s keen observation, we were able determine that the issue could result in remote code execution. We immediately began an in-depth analysis of the issue to determine whether it could be exploited, and possible fixes. We saw this as a challenge, and after some intense hacking sessions, we were able to craft a full working exploit!”
Google has decided not to release details of the exploit because of the potential severity of the bug. Aside from being a core component of Linux, the code library is also used as a base for programming languages including Python and PHP.
The vast array of devices affected means that giving hackers access to the code required to exploit it wouldn’t be a good idea. The company has demonstrated a proof of concept attack though to prove the severity of the vulnerability, present in glibc versions newer than 2.9.
After seven years, a patch is available for download now and should be applied immediately to Linux computers and servers. For many other kinds of device, the update is unlikely to ever be released though, despite the severity of the issue.
This will be a particular concern in the case of products like Wi-Fi routers, devices that are constantly performing domain name lookups but are rarely patched by manufacturers, especially when a few years old. Notably, Google’s Android OS isn’t affected by this bug as it uses a different version of glibc where the vulnerability isn’t present.
Because the bug has been around since 2008, it is unlikely that Google and Red Hat are the only people to have found it. Hackers may already be using the exploit and if not are likely to begin now. Even with a patch in the wild, many servers are likely to be left at risk for months. Users of Linux on home computers should receive the update automatically.
