SA114: GNU C Library (glibc) Remote Code Execution February 2016

Back to all Security AdvisoriesFollow
Security Advisories ID: 
SA114
Published Date: 
February 19, 2016
Advisory Status: 
Final
Advisory Severity: 
High
CVSS v2 base score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CVE Number: 
CVE-2015-7547 - 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)

Blue Coat products using an affected version of the GNU C Library (glibc) are susceptible to a remote execution attack. A remote attacker can send a crafted DNS response to the glibc DNS resolver and cause the resolver to crash or execute arbitrary code.

Affected Products: 

The following products are vulnerable:

Advanced Secure Gateway
ASG 6.6 prior to 6.6.4.1 is vulnerable.

Content Analysis System
CAS 1.2 and 1.3 prior to 1.3.6.1 are vulnerable.

Malware Analysis Appliance
MAA 4.2 prior to 4.2.8 is vulnerable.

Management Center
MC 1.5 prior to 1.5.3.1 is vulnerable.  MC 1.6, 1.7, and 1.8 are not vulnerable.

Norman Shark Industrial Control System Protection
ICSP 5.3 prior to 5.3.6 is vulnerable.

Norman Shark Network Protection
NNP 5.3 prior to 5.3.6 is vulnerable.

Norman Shark SCADA Protection
NSP 5.3 prior to 5.3.6 is vulnerable.

PacketShaper S-Series
PS S-Series 11.2, 11.3, 11.4, and 11.5 prior to 11.5.3.1 are vulnerable. PS S-Series 11.6 and 11.7 are not vulnerable.

PolicyCenter S-Series
PC S-Series 1.1 prior to 1.1.2.1 is vulnerable.

Reporter
Reporter 10.1 prior to 10.1.4.1 is vulnerable.  Reporter 9.4 and 9.5 are not vulnerable.

Security Analytics
SA 6.6 prior to 6.6.12, 7.0, and 7.1 prior to 7.1.11 are vulnerable.  SA 7.2 is not vulnerable.

SSL Visibility
SSLV 3.8 prior to 3.8.6-14, 3.8.4FC prior to 3.8.4FC-55, and 3.9 prior 3.9.3.3 are vulnerable.  SSLV 3.10 and 3.11 are not vulnerable.

X-Series XOS
XOS 10.0 prior to 10.0.6 and 11.0 prior to 11.0.2 are vulnerable. XOS 9.7 is not vulnerable.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
Director
General Auth Connector Login Application
IntelligenceCenter
IntelligenceCenter Data Collector
K9
Mail Transfer Defense
PacketShaper
PolicyCenter
ProxyClient
ProxyAV
ProxyAV ConLog and ConLogXP
ProxySG
Unified Agent

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

Advisory Details: 

A stack-based buffer overflow exists in the GNU C Library (glibc) versions 2.9 through 2.22.  Blue Coat products that include a vulnerable version of glibc are vulnerable.

The stack-based buffer overflow exists in the glibc client DNS resolver implementation (libresolv) when invoked from the libnss_dns module.  The buffer overflow occurs in the libnss_dns send_dg() and send_vc() functions when a userspace application resolves a DNS name by calling getaddrinfo() with the AF_UNSPEC parameter.  The AF_UNSPEC parameter does not tell the resolver whether to resolve the DNS name to an IPv4 or IPv6 address, so the resolver sends both type A (IPv4) and AAAA (IPv6) DNS queries in parallel.  A mismanagement of the buffers allocated for the queries may cause an oversized response of a DNS query to be written beyond the bounds of the query's buffer.

A remote attacker can exploit this vulnerability by sending a crafted, oversized DNS response to the DNS resolver.  The resolver will crash or execute arbitrary code with the access privileges of the application requesting the DNS name resolution.  If the application runs with root privileges, the remote attacker will gain root access and have complete control of the target.

Blue Coat products that use a native installation of glibc, but do not install or maintain that implementation are not vulnerable.  However, the underlying platform that provides the glibc library may be vulnerable.  Blue Coat urges our customers to update the versions of glibc that are natively installed for Client Connector, ProxyClient, and Reporter 9.x for Linux.

Workarounds: 

Blue Coat's ProxySG appliance can be used to protect against the glibc remote code execution attack.  Customers using ProxySG as a reverse proxy can protect network hosts by blocking the oversized DNS responses that trigger the stack-based buffer overflow.  DNS responses over TCP should be limited to 1024 bytes and DNS responses over UDP should be limited to 512 bytes.  ProxySG 6.5 and 6.6 customers can use the following CPL syntax:

<dns-proxy>
dns.request.threat_risk.level=7.. dns.respond(refused)
 
<dns-proxy> dns.client_transport=tcp
dns.response.cname.length=1024.. dns.respond(refused)
dns.response.ptr.length=1024.. dns.respond(refused)
 
<dns-proxy> dns.client_transport=udp
dns.response.cname.length=512.. dns.respond(refused)
dns.response.ptr.length=512.. dns.respond(refused)
Patches: 

Advanced Secure Gateway
ASG 6.6 - a fix is available in 6.6.4.1.

Content Analysis System
CAS 1.3 - a fix is available in 1.3.6.1.
CAS 1.2 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

Malware Analysis Appliance
MAA 4.2 - a fix is available in 4.2.8

Management Center
MC 1.5 - a fix is available in 1.5.3.1.

Norman Shark Industrial Control System Protection
ICSP 5.3 - a fix is available in 5.3.6.

Norman Shark Network Protection
NNP 5.3 - a fix is available in 5.3.6.

Norman Shark SCADA Protection
NSP 5.3 - a fix is available in 5.3.6.

PacketShaper S-Series
PS S-Series 11.5 - a fix is available in 11.5.3.1.
PS S-Series 11.4 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.
PS S-Series 11.3 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.
PS S-Series 11.2 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.

PolicyCenter S-Series
PC S-Series 1.1 - a fix is available in 1.1.2.1.

Reporter
Reporter 10.1 - a fix is available in 10.1.4.1.

Security Analytics
SA 7.1 - a fix is available in 7.1.11.
SA 7.0 - a fix will not be provided.  Please upgrade to a later version with the vulnerability fixes.
SA 6.6 - a fix is available in 6.6.12.

SSL Visibility
SSLV 3.9 - a fix is available in 3.9.3.3.
SSLV 3.8.4FC - a fix is available in 3.8.4FC-55.
SSLV 3.8 - a fix is available in 3.8.6-14.

X-Series XOS
XOS 11.0 - a fix is available in 11.0.2.
XOS 10.0 - a fix is available in 10.0.6.

Advisory History: 

2017-02-07 MC 1.8 is not vulnerable.  Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.  SA status moved to Final.
2016-12-04 SSLV 3.11 is not vulnerable. PacketShaper S-Series 11.7 is not vulnerable.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-11 SSLV 3.10 is not vulnerable.
2016-10-26 MC 1.6 and 1.7 are not vulnerable.
2016-09-01 A fix for SSLV 3.8.4FC is available in 3.8.4FC-55.
2016-08-12 Security Analytics 7.2 is not vulnerable.
2016-07-16 A fix for XOS 10.0 is available in 10.0.6.  A fix for XOS 11.0 is available in 11.0.2.
2016-06-30 PacketShaper S-Series 11.6 is not vulnerable.
2016-06-27 Fixes will not be provided for PacketShaper S-Series 11.2, 11.3, and 11.4.  Please upgrade to a later version with the vulnerability fixes.
2016-06-23 A fix for ASG is available in 6.6.4.1.
2016-06-14 A fix for SA 7.0 will not be provided.  Please upgrade to a later version with the vulnerability fixes.
2016-06-13 Fixes for ICSP, NNP, and NSP are available in 5.3.6.
2016-05-19 Fixes are available in Security Analytics 6.6.12 and 7.1.11.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-28 A fix for PacketShaper S-Series 11.5 is available in 11.5.3.1.  A fix for PolicyCenter S-Series is available in 1.1.2.1.
2016-04-24 Mail Transfer Defense is not vulnerable.
2016-04-15 A fix will not be provided for CAS 1.2.  Please upgrade to a later version with the vulnerability fixes.
2016-04-01 A fix for Reporter 10.1 is available in 10.1.4.1.
2016-03-23 XOS 9.7 is not vulnerable.
2016-03-17 A fix for SSLV 3.8 is available in 3.8.6-14.
2016-03-14 Fixes are available for CAS 1.3 in 1.3.6.1 and for MC 1.5 in 1.5.3.1.
2016-03-10 A fix for MAA 4.2 is available in 4.2.8
2016-03-04 A fix for SSLV 3.9 is available in 3.9.3.3.
2016-02-29 Added CVSS v2 score
2016-02-19 initial public release

Feedback