CONFERENCE Now Live: CISO Forum Virtual Summit - Join Event In-Progress
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

VMware Products Affected by Critical glibc Flaw

A critical remote code execution vulnerability found in the GNU C Library (glibc) affects most Linux systems and many widely used products, including ones from VMware.

A critical remote code execution vulnerability found in the GNU C Library (glibc) affects most Linux systems and many widely used products, including ones from VMware.

VMware published an advisory on Monday to inform customers that the flaw, tracked as CVE-2015-7547, affects ESXi and several products that are shipped as a virtual appliance.

The vulnerability impacts ESXi 5.5 and 6.0 and all versions of VMware virtual appliances running on Linux, including vSphere, vCenter, vRealize, vCloud, Orchestrator, Workbench, and EUC Identity Manager, Identity Manager Connector and Access Point. Windows-based products and ESXi versions prior to 5.5 are not affected.

The vendor has released a patch, ESXi550-201602401-SG, to resolve the issue in ESXi 5.5, but a fix has yet to be released for ESXi 6.0. Patches and workarounds have been made available for affected VMware virtual appliances.

The glibc vulnerability, a stack-based buffer overflow related to the getaddrinfo() function, was first reported in July 2015 by Robert Holiday of Ciena. The issue, introduced in 2008 with the release of version 2.9, was later also discovered by a Google engineer. Experts at Google and Red Hat independently assessed the impact of the flaw and determined that it’s a serious issue that can lead to remote code execution.

“The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack,” Google said.

Further analysis conducted by security firm Qualys, Yahoo!, researcher Dan Kaminsky and others revealed that the bug is even more serious than initially reported.

“The glibc DNS bug (CVE-2015-7547) is unusually bad. Even Shellshock and Heartbleed tended to affect things we knew were on the network and knew we had to defend,” Kaminsky said. “This affects a universally used library (glibc) at a universally used protocol (DNS). Generic tools that we didn’t even know had network surface (sudo) are thus exposed, as is software written in programming languages designed explicitly to be safe.”

Advertisement. Scroll to continue reading.

Kaminsky compared this vulnerability to the GHOST bug found in glibc last year and noted that the latter was “fiddly” and had far more mitigating factors compared to CVE-2015-7547.

“Anyway one looks at it: this is critical and will only get worse in the next couple of weeks. Patch the glibc library in use as soon as possible,” Wolfgang Kandek, CTO of Qualys, warned. “The mitigations listed by Redhat in their article have the potential to interfere in normal DNS operations so they are only an option if you are certain of your DNS usage.”

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join SecurityWeek and Hitachi Vantara for this this webinar to gain valuable insights and actionable steps to enhance your organization's data security and resilience.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Gant Redmon has joined Trustle as its new Chief Executive Officer and Board Director.

Application security firm Black Duck has appointed Sean Forkan as Chief Revenue Officer.

Jared Bartel has been named CISO at Idaho State University.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.