1

Recently Googly discover glibc getaddrinfo (CVE-2015-7547) vulnerability: https://googleonlinesecurity.blogspot.co.il/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html

We run our application on CentOS 6. I found here the following: https://rhn.redhat.com/errata/RHSA-2016-0225.html

Note: this issue is only exposed when libresolv is called from the
nss_dns NSS service module. (CVE-2015-7547)

Should I update glibc if I do not configure DNS? I have the following in /etc/resolv.conf

nameserver 127.0.0.1
Michael
  • 1,457
  • 1
  • 18
  • 36

2 Answers2

7

Should I update glibc if I disable DNS service?

Should I update glibc if I enable DNS service?

The DNS service is about running your own DNS server. This bug is unrelated to this but is instead related to the DNS lookups done by the applications, i.e. your browser looking up the IP address of a site based on the hostname in the URL. Thus yes, you need to update.

Should I update glibc if I do not configure DNS? I have the following in /etc/resolv.conf

Unless the name server at 127.0.0.1 is a server which protects you this kind of attacks then you should update. Note that according to redhat the usual dnsmasq etc will probably not fully protect you:

  1. Can a trusted DNS resolver protect against this issue? A trusted resolver, in a default, protocol-compliant configuration, cannot mitigate this issue because potential exploits could involve syntactically well-formed DNS responses.
Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • 1
    @Michael: see edited response - but please stop changing your question all the time. Please understand that DNS is everywhere even if you did not configure it specifically. If the system has this bug and it is connected to the internet then it is probably doing DNS lookups which means that you need to patch it. – Steffen Ullrich Feb 17 '16 at 10:44
  • Correct, as seen here -- https://blog.cloudflare.com/a-tale-of-a-dns-exploit-cve-2015-7547/ -- dnsmasq will not protect you – atdre Feb 29 '16 at 15:20
1

Why should not you upgrade? I usually evaluate the need to upgrade or not depending if it affects our infra-structure, however in this case, there are no doubts about it. Plus, it is rated as critical. Having 127.0.0.1 does not means that you do not have DNS, you could be pointing to a dnsmasq for instance. As others said, DNS is everywhere.

Even without pointing to a DNS server, theoretically it would be possible to have a compromise via a local application (or a rogue local user), exploiting one avenue of compromise to escalate his privileges to another user.

Rui F Ribeiro
  • 1,736
  • 8
  • 15