Imperva Security Response to CVE-2015-7547 (glibc getaddrinfo stack-based buffer overflow - Critical)

This is not an application level vulnerability so virtual patching using SecureSphere is not applicable. Your applications that may be vulnerable to CVE-2015-7547 update the version of glibc in their Linux implementations or implement the mitigation techniques highlighted below.

Due to the critical nature of this CVE, Imperva recommends patching all of your affected Linux servers immediately, including SecureSphere, or implementing the iptables mitigation.

On February 16, 2016 Google published CVE-2015-7547, which is categorized as “Critical”, and identified a patch for this vulnerability.

This vulnerability pertaining to the glibc DNS client side resolver could allow remote code execution if an attacker sends large DNS packets that cause a buffer overflow using attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack.

The vulnerability affects all versions of glibc 2.9 or higher.

The vulnerability relies on an oversized (2048+ bytes) UDP or TCP response, which is followed by another response that will overwrite the stack. Under certain conditions a mismatch between the stack buffer and the new heap allocation will happen. The final effect is that the stack buffer will be used to store the DNS response, even though the response is larger than the stack buffer and a heap buffer was allocated. This behavior leads to the stack buffer overflow1.

Impact to Imperva SecureSphere Customers
Imperva SecureSphere is vulnerable because SecureSphere appliances make use of a vulnerable version of glibc. As a result, Imperva recommends implementing a manual mitigation to reduce the risk of exploitation. Please contact Imperva Technical Support for more details.

Imperva recommends patching all affected Linux servers immediately.

Protecting Applications:
Imperva will also be making a patch available in order to upgrade the version of glibc to the latest version. Until that time, technical details on how to manually implement a workaround to protect SecureSphere appliances or other linux servers is available by contacting Imperva Technical Support.

1 Details thanks to