glibc: getaddrinfo stack-based buffer overflow (CVE-2015-7547)

Advisory ID: 16-0007
Publish Date: 2016-02-25
Revision: 1.3 (updated 2016-05-02)

Summary

The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.

Detailed Description

A stack-based buffer overflow was found in libresolv in the code which performs dual A/AAAA DNS queries. A remote attacker could create specially crafted DNS responses which could cause libresolv to crash or potentially execute code with the permissions of the user running the library. The buffer overflow occurs in the function send_dg (for UDP queries) and send_vc (for TCP queries) in libresolv. The issue is only exposed when libresolv is called from the nss_dns NSS service module. This flaw has been assigned CVE-2015-7547.

Affected Products

The following products have been identified as being affected (updated 2016-05-02):

Products Under Investigation

The following products are being evaluated to determine potential exposure and risk (updated 2016-05-02):

Product Name

3000 Communications System

340w and 342w

6700i, 6800i (Praxis) Series SIP Phones

74XXip (H323 terminal family)

9000i Series (9480i, 9143i, 9133i, 9112i) SIP Phones

A1023i

BluStar 8000i

BluStar Android

BluStar iOS

Clearspan (AudioCodes eSBC / Gateway)

Clearspan (Edgewater eSBC)

Comdasys Convergence 4675

Comdasys Convergence 6719

Comdasys MC Client Android

Comdasys MC Client iOS

Dialog 5446ip, 4XXXip (H323 terminal family)

Enterprise Manager

FMC Controller (Comdasys MC Controller, Mitel Mobile Client Controller)

FMC Controller for Intelligate

MiCollab (MAS) / (SAS) / vMAs

MiCollab (MCA)

MiCollab Advanced Messaging

MiContact Center Live

MiContact Center Office

MiContact Center Outbound

Mitel Alarm Server

Mitel MMC Android

Mitel MMC iOS

Mitel5000 Compact

Mitel5000 Gateway

MiVoice 5602/5603/5604/5606/5607 IP DECT phones (DT390, DT690, DT692, DT292, DT590) (Ascom OEM)

MiVoice 5624 WiFi Phone (Ascom OEM)

MiVoice Business Dashboard (CSM)

MiVoice Conference Unit (UC360)

MiVoice Digital Phones 8528, 8568

MiVoice IP DECT Base Station (IPBS 433/434/430/440) (Ascom OEM)

MiVoice IP Phones 53xx, 5540

MiVoice IP Phones 5560, 5505

MiVoice Office 400 Virtual Appliance

MiVoice5000

MiVoice5000 Manager

MiXML server

Multi-Instance Communications Director (MiCD)

NuPoint UM (Standalone)

OIG

Redirection and Configuration Service (RCS)

S850i (Revolabs OEM)

TA7102i / TA7104i

Virtual MiVoice Communications Director (vMCD)

WSM, WSM-3 (CPDM 3) (Ascom OEM)

This list will be updated with additional information as it becomes available.

Products not Affected

The following products have been identified as not being affected as they do not use the affected component (updated 2016-05-02):

Product Name

3250

5300 series digital

5550 IP Console

Aastra 1560ip

Aastra 2380ip

Aastra 5300ip

BluStar Client (PC)

BluStar Server
Centergy Virtual Contact Center

Clearspan (Acme Packet Core SBC)

Clearspan (Broadworks Platform)

CMG

CPU2 / CPU2-S on Mitel 470 Controller

CT Gateway

D.N.A. Application Suite

DECToverIP (Mitel 100 | OpenCom 100))

DECToverIP (OC1000)

ER Adviser

InAttend

MiCollab Client (Desktop/Web)

MiCollab Mobile Client (Android)

MiCollab Mobile Client (iOS)

MiContact Center Business

MiContact Center Enterprise 9.1MiContact Center for Microsoft Lync

MiContact Center Solidus 9.0 SP1

Mitel 800

Mitel100/OpenComX320

MiVoice 5610 DECT Handset and IP DECT Stand

MiVoice Business - MCD (PPC)

MiVoice Business - MXe Server

MiVoice Business Console

MiVoice Call Accounting

MiVoice Call Recording

MiVoice for Lync

MiVoice Office 250 (Mitel 5000)

MiVoice Office 400

Oaisys Talkument

Oaisys Tracer

Open Interfaces Platform (OIP, OIP WebAdmin)

OpenCom 1000 family

OpenPhone 7x IP

PointSpan

Secure IP Remote Management SRM

SIP-DECT

SIP-DECT Open Mobility Manager

SIP-DECT with Cloud-ID

Solidus eCare 8.3 SP4

SX-200IP ICP

Telephony Switch (TSW)

Telepo

This list will be updated with additional information as it becomes available.

Risk Assessment

CVE-2015-7547 is rated as having moderate risk, in that it can create a complete denial of service on the vulnerable system, or potentially allow for the execution of unauthorized code.

Mitigation / Recommended Action

As per the vendor advisory:

This vulnerability can be “mitigated by using a trusted, protocol-compliant DNS resolver on a trusted network. A compliant resolver will not produce the kind of oversized responses which are necessary to exploit this vulnerability because by default, the glibc resolver does not enable EDNS0 and does not request large responses.

The TCP-based vector could be mitigated by a trusted recursive resolver on a trusted network which limits the size of individual DNS responses to 1023 bytes and below. However, such a capability is not common in DNS resolver implementations because it breaks the DNS protocol. (The buffer size configuration option offered by most resolvers only applies to UDP, not TCP.)

Rejecting AAAA responses, without also limiting the size of A responses, does not mitigate the vulnerability. Disabling IPv6 support on affected systems does not mitigate the vulnerability because the dual A/AAAA lookups are performed even if the system lacks IPv6 support.

External References

https://access.redhat.com/articles/2161461