A critical remote code execution vulnerability found in the GNU C Library (glibc) affects most Linux systems and many widely used products, including ones from VMware.
VMware published an advisory on Monday to inform customers that the flaw, tracked as CVE-2015-7547, affects ESXi and several products that are shipped as a virtual appliance.
The vulnerability impacts ESXi 5.5 and 6.0 and all versions of VMware virtual appliances running on Linux, including vSphere, vCenter, vRealize, vCloud, Orchestrator, Workbench, and EUC Identity Manager, Identity Manager Connector and Access Point. Windows-based products and ESXi versions prior to 5.5 are not affected.
The vendor has released a patch, ESXi550-201602401-SG, to resolve the issue in ESXi 5.5, but a fix has yet to be released for ESXi 6.0. Patches and workarounds have been made available for affected VMware virtual appliances.
The glibc vulnerability, a stack-based buffer overflow related to the getaddrinfo() function, was first reported in July 2015 by Robert Holiday of Ciena. The issue, introduced in 2008 with the release of version 2.9, was later also discovered by a Google engineer. Experts at Google and Red Hat independently assessed the impact of the flaw and determined that it’s a serious issue that can lead to remote code execution.
“The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack,” Google said.
Further analysis conducted by security firm Qualys, Yahoo!, researcher Dan Kaminsky and others revealed that the bug is even more serious than initially reported.
“The glibc DNS bug (CVE-2015-7547) is unusually bad. Even Shellshock and Heartbleed tended to affect things we knew were on the network and knew we had to defend,” Kaminsky said. “This affects a universally used library (glibc) at a universally used protocol (DNS). Generic tools that we didn’t even know had network surface (sudo) are thus exposed, as is software written in programming languages designed explicitly to be safe.”
Kaminsky compared this vulnerability to the GHOST bug found in glibc last year and noted that the latter was “fiddly” and had far more mitigating factors compared to CVE-2015-7547.
Yahoo pentest team just executed a ROP chain on Apache+PHP using CVE-2015-7547. Still not reliable or ‘weaponized’ but huge progress made
— Chris Rohlf (@chrisrohlf) February 19, 2016
“Anyway one looks at it: this is critical and will only get worse in the next couple of weeks. Patch the glibc library in use as soon as possible,” Wolfgang Kandek, CTO of Qualys, warned. “The mitigations listed by Redhat in their article have the potential to interfere in normal DNS operations so they are only an option if you are certain of your DNS usage.”