Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

VMware Products Affected by Critical glibc Flaw

A critical remote code execution vulnerability found in the GNU C Library (glibc) affects most Linux systems and many widely used products, including ones from VMware.

A critical remote code execution vulnerability found in the GNU C Library (glibc) affects most Linux systems and many widely used products, including ones from VMware.

VMware published an advisory on Monday to inform customers that the flaw, tracked as CVE-2015-7547, affects ESXi and several products that are shipped as a virtual appliance.

The vulnerability impacts ESXi 5.5 and 6.0 and all versions of VMware virtual appliances running on Linux, including vSphere, vCenter, vRealize, vCloud, Orchestrator, Workbench, and EUC Identity Manager, Identity Manager Connector and Access Point. Windows-based products and ESXi versions prior to 5.5 are not affected.

The vendor has released a patch, ESXi550-201602401-SG, to resolve the issue in ESXi 5.5, but a fix has yet to be released for ESXi 6.0. Patches and workarounds have been made available for affected VMware virtual appliances.

The glibc vulnerability, a stack-based buffer overflow related to the getaddrinfo() function, was first reported in July 2015 by Robert Holiday of Ciena. The issue, introduced in 2008 with the release of version 2.9, was later also discovered by a Google engineer. Experts at Google and Red Hat independently assessed the impact of the flaw and determined that it’s a serious issue that can lead to remote code execution.

“The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack,” Google said.

Further analysis conducted by security firm Qualys, Yahoo!, researcher Dan Kaminsky and others revealed that the bug is even more serious than initially reported.

“The glibc DNS bug (CVE-2015-7547) is unusually bad. Even Shellshock and Heartbleed tended to affect things we knew were on the network and knew we had to defend,” Kaminsky said. “This affects a universally used library (glibc) at a universally used protocol (DNS). Generic tools that we didn’t even know had network surface (sudo) are thus exposed, as is software written in programming languages designed explicitly to be safe.”

Advertisement. Scroll to continue reading.

Kaminsky compared this vulnerability to the GHOST bug found in glibc last year and noted that the latter was “fiddly” and had far more mitigating factors compared to CVE-2015-7547.

“Anyway one looks at it: this is critical and will only get worse in the next couple of weeks. Patch the glibc library in use as soon as possible,” Wolfgang Kandek, CTO of Qualys, warned. “The mitigations listed by Redhat in their article have the potential to interfere in normal DNS operations so they are only an option if you are certain of your DNS usage.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.