Americas
Oceania
Sélectionnez la région / le pays / la langue
Advisory ID: 16-0007
Publish Date: 2016-02-25
Revision: 1.3 (updated 2016-05-02)
Summary
The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.
Detailed Description
A stack-based buffer overflow was found in libresolv in the code which performs dual A/AAAA DNS queries. A remote attacker could create specially crafted DNS responses which could cause libresolv to crash or potentially execute code with the permissions of the user running the library. The buffer overflow occurs in the function send_dg (for UDP queries) and send_vc (for TCP queries) in libresolv. The issue is only exposed when libresolv is called from the nss_dns NSS service module. This flaw has been assigned CVE-2015-7547.
Affected Products
The following products have been identified as being affected (updated 2016-05-02):
Product Name | Product Versions | Security Bulletin | Last Updated |
Oria | Oria 4.0, 4.0 SP1 (4.0.39.0, 4.0.112.0) |
16-0007-009 | 2016-05-02 |
MiCollab AWV | 6.0.0.61 and earlier 5.0.5.7 and earlier 5.0.4.19 and earlier |
16-0007-003 | 2016-03-07 |
MiCollab Client | 6.0 SP4 and earlier | 16-0007-004 |
2016-03-07 |
Mitel Standard Linux (MSL) | MSL 10.4.12.0 and earlier MSL 10.3.37.0 and earlier MSL 10.1.48 and earlier MSL 10.0.x |
16-0007-001 | 2016-03-07 |
Mitel Border Gateway (MBG) | All versions 9.2 and earlier running affected MSL |
16-0007-001 | 2016-03-07 |
MiVoice Business for Industry Standard Server and VMware Virtual Appliance |
6.0 and earlier | 16-0007-006 | 2016-03-07 |
MiVoice Business for Stratus |
Versions based on RedHat Linux 6.3 |
16-0007-006 | 2016-03-07 |
MiVoice Business for Multi-instanceplatform - Server Manager | 1.2 and earlier | 16-0007-006 | 2016-03-07 |
MiVB-X | 7.0.0.102 and earlier 6.0.207.0 and earlier |
16-0007-008 | 2016-04-08 |
MX-ONE, MiVoice MX-ONE, MiVoice MX-ONE Express, Mitel 700 |
6.0 SP2 and 6.1 (SLES 11 SP3/SP4) |
16-0007-002 | 2016-03-07 |
NPM | NPM 8 (18.0.0.49) and earlier NPM 7 SP2 (17.2.0.3) and earlier NPM 7 SP1 (17.1.0.11) and earlier |
16-0007-007 | 2016-03-07 |
Products Under Investigation
The following products are being evaluated to determine potential exposure and risk (updated 2016-05-02):
Product Name
3000 Communications System
340w and 342w
6700i, 6800i (Praxis) Series SIP Phones
74XXip (H323 terminal family)
9000i Series (9480i, 9143i, 9133i, 9112i) SIP Phones
A1023i
BluStar 8000i
BluStar Android
BluStar iOS
Clearspan (AudioCodes eSBC / Gateway)
Clearspan (Edgewater eSBC)
Comdasys Convergence 4675
Comdasys Convergence 6719
Comdasys MC Client Android
Comdasys MC Client iOS
Dialog 5446ip, 4XXXip (H323 terminal family)
Enterprise Manager
FMC Controller (Comdasys MC Controller, Mitel Mobile Client Controller)
FMC Controller for Intelligate
MiCollab (MAS) / (SAS) / vMAs
MiCollab (MCA)
MiCollab Advanced Messaging
MiContact Center Live
MiContact Center Office
MiContact Center Outbound
Mitel Alarm Server
Mitel MMC Android
Mitel MMC iOS
Mitel5000 Compact
Mitel5000 Gateway
MiVoice 5602/5603/5604/5606/5607 IP DECT phones (DT390, DT690, DT692, DT292, DT590) (Ascom OEM)
MiVoice 5624 WiFi Phone (Ascom OEM)
MiVoice Business Dashboard (CSM)
MiVoice Conference Unit (UC360)
MiVoice Digital Phones 8528, 8568
MiVoice IP DECT Base Station (IPBS 433/434/430/440) (Ascom OEM)
MiVoice IP Phones 53xx, 5540
MiVoice IP Phones 5560, 5505
MiVoice Office 400 Virtual Appliance
MiVoice5000
MiVoice5000 Manager
MiXML server
Multi-Instance Communications Director (MiCD)
NuPoint UM (Standalone)
OIG
Redirection and Configuration Service (RCS)
S850i (Revolabs OEM)
TA7102i / TA7104i
Virtual MiVoice Communications Director (vMCD)
WSM, WSM-3 (CPDM 3) (Ascom OEM)
This list will be updated with additional information as it becomes available.
Products not Affected
The following products have been identified as not being affected as they do not use the affected component (updated 2016-05-02):
Product Name
3250
5300 series digital
5550 IP Console
Aastra 1560ip
Aastra 2380ip
Aastra 5300ip
BluStar Client (PC)
BluStar Server
Centergy Virtual Contact Center
Clearspan (Acme Packet Core SBC)
Clearspan (Broadworks Platform)
CMG
CPU2 / CPU2-S on Mitel 470 Controller
CT Gateway
D.N.A. Application Suite
DECToverIP (Mitel 100 | OpenCom 100))
DECToverIP (OC1000)
ER Adviser
InAttend
MiCollab Client (Desktop/Web)
MiCollab Mobile Client (Android)
MiCollab Mobile Client (iOS)
MiContact Center Business
MiContact Center Enterprise 9.1MiContact Center for Microsoft Lync
MiContact Center Solidus 9.0 SP1
Mitel 800
Mitel100/OpenComX320
MiVoice 5610 DECT Handset and IP DECT Stand
MiVoice Business - MCD (PPC)
MiVoice Business - MXe Server
MiVoice Business Console
MiVoice Call Accounting
MiVoice Call Recording
MiVoice for Lync
MiVoice Office 250 (Mitel 5000)
MiVoice Office 400
Oaisys Talkument
Oaisys Tracer
Open Interfaces Platform (OIP, OIP WebAdmin)
OpenCom 1000 family
OpenPhone 7x IP
PointSpan
Secure IP Remote Management SRM
SIP-DECT
SIP-DECT Open Mobility Manager
SIP-DECT with Cloud-ID
Solidus eCare 8.3 SP4
SX-200IP ICP
Telephony Switch (TSW)
Telepo
This list will be updated with additional information as it becomes available.
Risk Assessment
CVE-2015-7547 is rated as having moderate risk, in that it can create a complete denial of service on the vulnerable system, or potentially allow for the execution of unauthorized code.
Mitigation / Recommended Action
As per the vendor advisory:
This vulnerability can be “mitigated by using a trusted, protocol-compliant DNS resolver on a trusted network. A compliant resolver will not produce the kind of oversized responses which are necessary to exploit this vulnerability because by default, the glibc resolver does not enable EDNS0 and does not request large responses.
The TCP-based vector could be mitigated by a trusted recursive resolver on a trusted network which limits the size of individual DNS responses to 1023 bytes and below. However, such a capability is not common in DNS resolver implementations because it breaks the DNS protocol. (The buffer size configuration option offered by most resolvers only applies to UDP, not TCP.)
Rejecting AAAA responses, without also limiting the size of A responses, does not mitigate the vulnerability. Disabling IPv6 support on affected systems does not mitigate the vulnerability because the dual A/AAAA lookups are performed even if the system lacks IPv6 support.
External References