در چند روز اخیر یک  آسیب پذیری امنیتی سطح بالا (critical) از کتابخانه glibc موجود در اکثر توزیع های رایج لینوکسی ، گزارش شد.

این آسیب پذیری که CVE-2015-7547 را به خود اختصاص داده در تابع getaddrinfo() کشف شده است و به هکر اجازه می دهد یک حمله ی stack-based buffer overflow را به صورت local و یا حتی remote به اجرا بگذارد. به دلیل اینکه تابع آسیب پذیر  در بسیاری از سیستم های  مبتنی بر لینوکس مورد استفاده قرار می گیرد ، ریسک امنیتی آن دو چندان شده و باید جهت جلوگیری از هر گونه خسارات احتمالی به سرعت در سیستم ها وصله گردد.

جهت برطرف سازی آین آسیب پذیری میتوانید از روش های زیر استفاده نمایید :

سیستم عامل های مبتنی بر Redhat :

yum -y update glibc

سیستم عامل های مبتنی بر Debian:

apt-get upgrade glibc

فایروال های سیسکو ASA :

اعمال تغییرات زیر در global inspection میتواند مفید باشد :

policy-map type inspect dns preset_dns_map
    parameters
        message-length maximum 1024
!
policy-map global_policy
    class inspection_default
        inspect dns preset_dns_map
!
service-policy global_policy global

فایروال های PIX سیسکو :

fixup protocol dns maximum-length 1024

فایروال های سری SRX جونیپر :

set security alg dns maximum-message-length 2040

Fortinet هنوز اظهار نظر مشخصی در مورد این موضوع نکرده ولی برای رفع اسیب پذیری احتمالی میتوانید ALG DNS را به maximum-message-length 2040 تغییر دهید

توزیع ها و نسخه های آسیب پذیر:

 

در حال حاضر نسخه های برپایه RedHat در ورژن های ۳-۴-۵ آسیب پیذیر نیستند. طبق اعلام سایت redhat نسخه های زیر آسیب پذیرند:

PlatformErrataRelease Date
Red Hat Enterprise Linux Server EUS (v. 6.6) (glibc) RHSA-2016:0225 ۲۰۱۶-۰۲-۱۶
Red Hat Enterprise Linux Server AUS (v. 6.4) (glibc) RHSA-2016:0225 ۲۰۱۶-۰۲-۱۶
Red Hat Enterprise Linux Server AUS (v. 6.5) (glibc) RHSA-2016:0225 ۲۰۱۶-۰۲-۱۶
Red Hat Enterprise Linux version 7 (glibc) RHSA-2016:0176 ۲۰۱۶-۰۲-۱۶
Red Hat Enterprise Linux Server EUS (v. 7.1) (glibc) RHSA-2016:0225 ۲۰۱۶-۰۲-۱۶
Red Hat Enterprise Linux Server AUS (v. 6.2) (glibc) RHSA-2016:0225 ۲۰۱۶-۰۲-۱۶
Red Hat Enterprise Linux version 6 (glibc) RHSA-2016:0175 ۲۰۱۶-۰۲-۱۶
PlatformPackageState
Red Hat Enterprise Linux 3 glibc Not affected
Red Hat Enterprise Linux 5 glibc Not affected
Red Hat Enterprise Linux 4 glibc Not affected

نسخه های آسیب پذیر بر پایه Debian را در جدول زیر مشاهده می کنید:

Source PackageReleaseVersionStatus
eglibc (PTS) squeeze ۲٫۱۱٫۳-۴ vulnerable
  squeeze (lts) ۲٫۱۱٫۳-۴+deb6u11 fixed
  wheezy ۲٫۱۳-۳۸+deb7u8 vulnerable
  wheezy (security) ۲٫۱۳-۳۸+deb7u10 fixed
glibc (PTS) jessie ۲٫۱۹-۱۸+deb8u2 vulnerable
  jessie (security) ۲٫۱۹-۱۸+deb8u3 fixed
  stretch ۲٫۲۱-۸ fixed
  sid ۲٫۲۱-۹ fixed
PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
eglibc source (unstable) (unfixed)      
eglibc source squeeze ۲٫۱۱٫۳-۴+deb6u11   DLA-416-1  
eglibc source wheezy ۲٫۱۳-۳۸+deb7u10   DSA-3480-1  
glibc source (unstable) ۲٫۲۱-۸      
glibc source jessie ۲٫۱۹-۱۸+deb8u3   DSA-3481-1  

RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x
CentOS Linux version 5.x, 6.x & 7.x
Ubuntu Linux version 10.04, 12.04 LTS
Debian Linux version 7.x
Linux Mint version 13.0
Fedora Linux version 19 or older
SUSE Linux Enterprise 11 and older (also OpenSuse Linux 11 or older versions).
Arch Linux glibc version <= 2.18-1

 

CISCO
Collaboration and Social Media

Cisco WebEx Node for MCS

Endpoint Clients and Client Software

Cisco Jabber Guest 10.0(2)
Cisco MMP server
Cisco NAC Agent for Mac
Cisco NAC Agent for Web
Cisco WebEx Productivity Tools
WebEx Recording Playback Client

Network Application, Service, and Acceleration

Cisco ACE 30 Application Control Engine Module
Cisco ACE 4700 Series Application Control Engine Appliances
Cisco Extensible Network Controller (XNC)
Cisco Intercloud Fabric
Cisco NAC Appliance
Cisco Nexus Data Broker (NDB)
Cisco Prime Network Service Controller (PNSC)

Network and Content Security Devices

ASA CX Context-Aware
Cisco ASA CX and Cisco Prime Security Manager
Cisco Adaptive Security Device Manager
Cisco Clean Access Manager
Cisco Content Security Management Appliance (SMA)
Cisco Intrusion Prevention System Solutions (IPS)
Cisco NAC Guest Server
Cisco Physical Access Control Gateway
Cisco Physical Access Manager
Cisco Secure ACS 5.x
Cisco Virtual Security Gateway for Microsoft Hyper-V

Network Management and Provisioning

Cisco Access Registrar Appliance
Cisco Application Networking Manager
Cisco Connected Grid Device Manager
Cisco Connected Grid Network Management System
Cisco Linear Stream Manager
Cisco MGC Node Manager (CMNM)
Cisco Multicast Manager
Cisco Prime Access Registrar Appliance
Cisco Prime Analytics
Cisco Prime Cable Provisioning
Cisco Prime Central for SPs
Cisco Prime Collaboration Assurance
Cisco Prime Home
Cisco Prime IP Express
Cisco Prime Infrastructure Standalone Plug and Play Gateway
Cisco Prime Infrastructure
Cisco Prime LAN Management Solution (LMS - Solaris)
Cisco Prime Network Registrar (CPNR) virtual appliance
Cisco Prime Network Registrar IP Address Manager (IPAM)
Cisco Prime Network
Cisco Prime Optical for SPs
Cisco Prime Performance Manager
Cisco Prime Provisioning for SPs
Cisco Prime Service Catalog Virtual Appliance
Cisco Videoscape Distribution Suite Service Manager
CiscoWorks Network Compliance Manager

Routing and Switching - Enterprise and Service Provider

Cisco ASR 9000 Series Integrated Service Module
Cisco Broadband Access Center Telco Wireless
Cisco Connected Grid Routers (CGR)
Cisco IOS-XE for ASR1k, ASR903, ISR4400, CSR1000v
Cisco IOS-XE for Catalyst 3k, 4k, AIR-CT5760, and Cisco RF Gateway 10 (RFGW-10)
Cisco IOS-XR for Cisco ASR 9000 Series Aggregation Services Routers
Cisco IOS-XR for Cisco CRS Routers
Cisco IOS-XR for Cisco XR 12000 Series Routers
Cisco IOS
Cisco MDS 9000 Series Multilayer Switches
Cisco Metro Ethernet 1200 Series Access Devices
Cisco Nexus 1000V InterCloud
Cisco Nexus 1000V Series Switches
Cisco Nexus 3000 series switches
Cisco Nexus 4000 Series Blade Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 7000
Cisco Nexus 9000 (ACI/Fabric Switch)
Cisco Nexus 9000 Series (standalone, running NxOS)
Cisco Prime Data Center Network Manager
Cisco Service Control Operating System
Cisco VPN Acceleration Engine
IOS-XR for Cisco Network Convergence System (NCS) 6000

Routing and Switching - Small Business

Cisco DPH150 Series MicroCell Solution

Unified Computing

Cisco Billing and Measurement Server 3.30
Cisco Common Crypto Module
Cisco Common Services Platform Collector
Cisco Standalone rack server CIMC
Cisco UCS ADA
Cisco UCS Director
Cisco UCS Invicta Series
Cisco Unified Computing Blade-Server CIMC
Cisco Unified Computing System E-Series Blade Server

Voice and Unified Communications Devices

Cisco 7937 IP Phone
Cisco Agent Desktop for Cisco Unified Contact Center Express
Cisco Broadband Access Center for Cable Tools Suite 4.1
Cisco Broadband Access Center for Cable Tools Suite 4.2
Cisco Desktop Collaboration Experience DX70 and DX80
Cisco Emergency Responder
Cisco Hosted Collaboration Mediation Fulfillment
Cisco IM and Presence Service (CUPS)
Cisco MediaSense
Cisco Prime Cable Provisioning Tools Suite 5.0
Cisco Prime Cable Provisioning Tools Suite 5.1
Cisco Remote Silent Monitoring
Cisco SPA525G
Cisco Unified 3900 series IP Phones
Cisco Unified 7800 series IP Phones
Cisco Unified 8961 IP Phone
Cisco Unified 9951 IP Phone
Cisco Unified 9971 IP Phone
Cisco Unified Client Services Framework
Cisco Unified Communications Domain Manager
Cisco Unified E-Mail Interaction Manager
Cisco Unified IP Conference Phone 8831 for Third-Party Call Control
Cisco Unified IP Phone 7900 Series
Cisco Unified IP Phone 8941 and 8945 (SIP)
Cisco Unified Operations Manager (CUOM)
Cisco Unified SIP Phone 3905
Cisco Unified Sip Proxy
Cisco Unified Web Interaction Manager
Cisco Unified Wireless IP Phone
Cisco Unified Workforce Optimization
Cisco Unity Connection (UC)
Cisco Unity Express
xony VIM/CCDM/CCMP

Video, Streaming, TelePresence, and Transcoding Devices

Cisco AnyRes Live (CAL)
Cisco AnyRes VOD (CAL)
Cisco Command 2000 Server (cmd2k) (RH Based)
Cisco D9824 Advanced Multi Decryption Receiver
Cisco D9854/D9854-I Advanced Program Receiver
Cisco D9858 Advanced Receiver Transcoder
Cisco D9859 Advanced Receiver Transcoder
Cisco Digital Transport Adapter Control System (DTACS)
Cisco Download Server (DLS) (Solaris)
Cisco Model D9485 DAVIC QPSK
Cisco Powerkey CAS Gateway (PCG)
Cisco Powerkey Encryption Server (PKES)
Cisco TelePresence 1310
Cisco TelePresence Conductor
Cisco TelePresence Exchange System (CTX)
Cisco TelePresence System 1000
Cisco TelePresence System 1100
Cisco TelePresence System 1300
Cisco TelePresence System 3000 Series
Cisco TelePresence System 500-32
Cisco TelePresence System 500-37
Cisco TelePresence TX 9000 Series
Cisco Transaction Encryption Device (TED)
Cisco Video Delivery System Recorder
Cisco Video Distribution Suite for Internet Streaming (VDS-IS/CDS-IS)
Cisco Video Surveillance 3000 Series IP Cameras
Cisco Video Surveillance 4000 Series High-Definition IP Cameras
Cisco Video Surveillance 4300E/4500E High-Definition IP Cameras
Cisco Video Surveillance 6000 Series IP Cameras
Cisco Video Surveillance 7000 Series IP Cameras
Cisco Video Surveillance Media Server
Cisco Video Surveillance PTZ IP Cameras
Cisco Videoscape Distribution Suite Transparent Caching
Cisco Virtual PGW 2200 Softswitch
Cloud Object Store (COS)
VDS-Recorder
VDS-TV Caching GW
VDS-TV Streamer
VDS-TV Vault

Wireless

Cisco 3G Femtocell Wireless
Cisco Mobility Services Engine (MSE)
Cisco Wireless LAN Controller (WLC)
Cisco Wireless Security Gateway Application (WSG)
Digital Life RMS 1.8.1.1 Cisco Broadband Access Center Telco Wireless 3.8.1
Small Cell factory recovery root filesystem V2.99.4 or later

Cisco Hosted Services

Cisco Cloud Services
Cisco Cloud Web Security
Cisco Cloud and Systems Management
Cisco Intelligent Automation for Cloud
Cisco Partner Supporting Service
Cisco Proactive Network Operations Center
Cisco Services Provisioning Platform (SPP)
Cisco UCS Invicta Series Autosupport Portal
Cisco Unified Services Delivery Platform (CUSDP)
Cisco Universal Small Cell 5000 Series running V3.4.2.x software
Cisco Universal Small Cell 7000 Series running V3.4.2.x software
Cisco WebEx Meeting Center
Communication/Collaboration Sizing Tool, Virtue Machine Placement Tool, Cisco Unified Communications Upgrade Readiness Assessment
Data Center Analytics Framework (DCAF) UCS Collector
Feature Analytics Service
Network Change and Configuration Management
Network Health Framework (NHF)
Network Performance Analytics (NPA)
Partner Supporting Service (PSS) 1.x
Partner Supporting Service (PSS) 2.x
Smart Net Total Care (SNTC)
Smart Net Total Care
Support Central

Vulnerable Products

ProductDefectFixed Releases Availability
Collaboration and Social Media
Cisco WebEx Meetings Server versions 1.x CSCuy36539  
Cisco WebEx Meetings Server versions 2.x CSCuy36539  
Network Application, Service, and Acceleration
Cisco Visual Quality Experience Server CSCuy35276  
Cisco Visual Quality Experience Tools Server CSCuy35276  
Network and Content Security Devices
Cisco FireSIGHT System Software CSCuy32284  
Cisco Identity Services Engine (ISE) CSCuy34700  
Network Management and Provisioning
Cisco Prime Collaboration Deployment CSCuy36602  
Cisco Prime Data Center Network Manager (.ova and .iso installers) CSCuy36546  
Cisco Prime License Manager CSCuy35265  
Routing and Switching - Enterprise and Service Provider
Cisco ASR 5000 Series CSCuy36531  
Voice and Unified Communications Devices
Cisco Paging Server (Informacast) CSCuy36612 11.5.1 (June 2016)
Cisco Paging Server CSCuy36612 11.5.1 (June 2016)
Cisco Unified Communications Manager (UCM) CSCuy32014  
Cisco Unified Communications Manager Session Management Edition (SME) CSCuy32014  
Video, Streaming, TelePresence, and Transcoding Devices
Cisco DCM Series 9900-Digital Content Manager CSCuy35251  
Cisco Edge 300 Digital Media Player CSCuy35298  
Cisco Edge 340 Digital Media Player CSCuy35299  
Cisco Expressway Series CSCuy35269  
Cisco TelePresence Server 8710, 7010 CSCuy35268  
Cisco TelePresence Server on Multiparty Media 310, 320 CSCuy35268  
Cisco TelePresence Server on Virtual Machine CSCuy35268  
Cisco TelePresence Video Communication Server (VCS) CSCuy35269  
Cisco Hosted Services
Cisco WebEx Messenger Service CSCuy36540  

 

 Juniper Product Status
 
The following products have been confirmed to be not vulnerable to the glibc issue reported as CVE-2015-7547:
 
Junos OS does not use glibc and is not affected by this issue.
Note: Linux VM-based platforms (e.g. vSRX, vMX, etc.) include glibc, but do not make use of DNS client libraries during normal operation.

Junos Space

ScreenOS uses a different implementation of libc and is likely not affected by this issue. Engineering is continuing to investigate.

QFabric Director

JUNOSe

CTP and CTPView

NSM server relies on underlying OS glibc library. Contact OS vendor

SBR Carrier relies on underlying OS glibc library. Contact OS vendor

WX/WXC

Netscreen IDP
 
Other products are still under investigation.



Friday, August 5, 2016

« برگشت