Connect with us

Hi, what are you looking for?

Tech & Science

Seven-year old Linux bug potentially devastating to devices

As Ars Technica reports, the bug in the GNU C Library was introduced in 2008. It could have been exploited by hackers for seven years before being discovered by several parties recently.
GNU C Library, known colloquially as glibc, is a library of code that is used by Linux for interaction with the C programming language. Because of its status as a base dependency for the operating system, it is present in nearly all Linux distributions.
A buffer overflow bug in one of its core functions, getaddrinfo(), allows attackers to remotely execute their own code and gain root access to the device. The function is used to perform domain-name lookups to ascertain the identity of web servers. An attacker could set up their own server to hijack the device when it performed a lookup on the server’s address.
The vulnerability was publicly disclosed this Tuesday by Google. It found the bug by chance while working on its own software. An engineer noticed that their SSH client – a program used to connect remotely to other computers – experienced a fatal crash every time they tried to connect to one specific computer. Google began investigating and realised the problem lay much deeper than with the SSH program.
“Have you ever been deep in the mines of debugging and suddenly realized you were staring at something far more interesting than you expected? You are not alone!”, said Google in a blog post.
“Recently a Google engineer noticed that their SSH client segfaulted every time they tried to connect to a specific host. That engineer filed a ticket to investigate the behavior and after an intense investigation we discovered the issue lay in glibc and not in SSH as we were expecting.”
It eventually traced the bug to the glibc library and reported it to the code’s maintainers. The team was already aware of it though as a report had been filed in July 2015. By chance, Google found that two members of the Red Hat operating system team – Florian Weimer and Carlos O’Donell – were already working on a bug fix, doing so quietly to avoid widespread coverage of the major problem.
Google said: “Thanks to this engineer’s keen observation, we were able determine that the issue could result in remote code execution. We immediately began an in-depth analysis of the issue to determine whether it could be exploited, and possible fixes. We saw this as a challenge, and after some intense hacking sessions, we were able to craft a full working exploit!”
Google has decided not to release details of the exploit because of the potential severity of the bug. Aside from being a core component of Linux, the code library is also used as a base for programming languages including Python and PHP.
The vast array of devices affected means that giving hackers access to the code required to exploit it wouldn’t be a good idea. The company has demonstrated a proof of concept attack though to prove the severity of the vulnerability, present in glibc versions newer than 2.9.
After seven years, a patch is available for download now and should be applied immediately to Linux computers and servers. For many other kinds of device, the update is unlikely to ever be released though, despite the severity of the issue.
This will be a particular concern in the case of products like Wi-Fi routers, devices that are constantly performing domain name lookups but are rarely patched by manufacturers, especially when a few years old. Notably, Google’s Android OS isn’t affected by this bug as it uses a different version of glibc where the vulnerability isn’t present.
Because the bug has been around since 2008, it is unlikely that Google and Red Hat are the only people to have found it. Hackers may already be using the exploit and if not are likely to begin now. Even with a patch in the wild, many servers are likely to be left at risk for months. Users of Linux on home computers should receive the update automatically.

Written By

You may also like:

Life

People walk past flags outside the United Nations headquarters on May 20, 2021 in New York City - Copyright AFP/File CAROL VALADEBrazil’s Covid-unvaccinated President...

Business

Many people, meaning millions, are truly outraged and offended by billionaires going into space on joyrides.

Life

Moving forward on the campaign trail. Source - Justin Trudeau @JustinTrudeau Officiel du gouvernement - Canada.Justin Trudeau is facing harsh criticism from political rivals...

Tech & Science

The global dominance of tech giants serves as a convenient online chokepoint for authoritarian governments to crack down on dissent or rig elections.