We've received a few requests for information regarding the stack-based buffer overflow vulnerability. This is "hot off the press" with additional information coming next week.
Problem Summary
NIOS DNS servers are vulnerable to CVE-2015-7547: glibc getaddrinfo stack-based buffer overflow
Overview
On February 16, 2016, a vulnerability in glibc's DNS resolver was disclosed publicly. It is tracked as CVE-2015-7547. The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo library function is used. This function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers or through a man-in-the-middle attack. A discussion of the problem from glibc developers is available athttps://sourceware.org/ml/libc-alpha/2016-02/msg00416.html Google has also provided detailed information at: https://googleonlinesecurity.blogspot.com/2016/02/cve-2015-7547-glibc-getaddrinfo-stack.html
Affected Versions
All versions of NIOS
Description
All existing versions of NIOS are vulnerable in a limited fashion. This vulnerability does not affect the BIND resolver, which is used to provide the vast majority of DNS services in NIOS. The vulnerability is in the glibc resolver that is used by the Linux host in a small number of cases. The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack. Examples of such cases in NIOS are DNS name resolution of member hostname's and Infoblox servers that provide services to the appliance. The vulnerability requires the configuration of a domain name which resolves to a comprised server, or a successful man-in-the-middle attack during such name resolution - making this very difficult to exploit.
Impact
The likelihood for this happening in the NIOS environment is low. Remote code execution is possible, but not at all straightforward. The most likely outcome is that part of NIOS using the getaddrinfo suffers a service interruption. The most likely failure case is probable if someone uses dig to query a compromised server and dig command dies (and nothing more happens).
Workaround
A firewall rule may be put in place on the customer's firewall to block overly large UDP or TCP response packets - a downside to this firewall rule is that it can also block some legitimate traffic, such as DNSSEC. See the discussions above for more details.
Resolution
To avoid this low vulnerability defect, Infoblox recommends that customers upgrade all NIOS servers to the following NIOS releases: 6.12.16, 7.1.10, 7.2.6 and 7.3.2. These NIOS release will be available next week from the Downloads page on the support site.
