این آسیب پذیری که CVE-2015-7547 را به خود اختصاص داده در تابع getaddrinfo() کشف شده است و به هکر اجازه می دهد یک حمله ی stack-based buffer overflow را به صورت local و یا حتی remote به اجرا بگذارد. به دلیل اینکه تابع آسیب پذیر در بسیاری از سیستم های مبتنی بر لینوکس مورد استفاده قرار می گیرد ، ریسک امنیتی آن دو چندان شده و باید جهت جلوگیری از هر گونه خسارات احتمالی به سرعت در سیستم ها وصله گردد.
جهت برطرف سازی آین آسیب پذیری میتوانید از روش های زیر استفاده نمایید :
سیستم عامل های مبتنی بر Redhat :
yum -y update glibc
سیستم عامل های مبتنی بر Debian:
apt-get upgrade glibc
فایروال های سیسکو ASA :
اعمال تغییرات زیر در global inspection میتواند مفید باشد :
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 1024
!
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
!
service-policy global_policy global
فایروال های PIX سیسکو :
fixup protocol dns maximum-length 1024
فایروال های سری SRX جونیپر :
set security alg dns maximum-message-length 2040
Fortinet هنوز اظهار نظر مشخصی در مورد این موضوع نکرده ولی برای رفع اسیب پذیری احتمالی میتوانید ALG DNS را به maximum-message-length 2040 تغییر دهید
توزیع ها و نسخه های آسیب پذیر:
در حال حاضر نسخه های برپایه RedHat در ورژن های ۳-۴-۵ آسیب پیذیر نیستند. طبق اعلام سایت redhat نسخه های زیر آسیب پذیرند:
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux Server EUS (v. 6.6) (glibc) | RHSA-2016:0225 | ۲۰۱۶-۰۲-۱۶ |
| Red Hat Enterprise Linux Server AUS (v. 6.4) (glibc) | RHSA-2016:0225 | ۲۰۱۶-۰۲-۱۶ |
| Red Hat Enterprise Linux Server AUS (v. 6.5) (glibc) | RHSA-2016:0225 | ۲۰۱۶-۰۲-۱۶ |
| Red Hat Enterprise Linux version 7 (glibc) | RHSA-2016:0176 | ۲۰۱۶-۰۲-۱۶ |
| Red Hat Enterprise Linux Server EUS (v. 7.1) (glibc) | RHSA-2016:0225 | ۲۰۱۶-۰۲-۱۶ |
| Red Hat Enterprise Linux Server AUS (v. 6.2) (glibc) | RHSA-2016:0225 | ۲۰۱۶-۰۲-۱۶ |
| Red Hat Enterprise Linux version 6 (glibc) | RHSA-2016:0175 | ۲۰۱۶-۰۲-۱۶ |
| Platform | Package | State |
|---|---|---|
| Red Hat Enterprise Linux 3 | glibc | Not affected |
| Red Hat Enterprise Linux 5 | glibc | Not affected |
| Red Hat Enterprise Linux 4 | glibc | Not affected |
نسخه های آسیب پذیر بر پایه Debian را در جدول زیر مشاهده می کنید:
| Source Package | Release | Version | Status |
|---|---|---|---|
| eglibc (PTS) | squeeze | ۲٫۱۱٫۳-۴ | vulnerable |
| squeeze (lts) | ۲٫۱۱٫۳-۴+deb6u11 | fixed | |
| wheezy | ۲٫۱۳-۳۸+deb7u8 | vulnerable | |
| wheezy (security) | ۲٫۱۳-۳۸+deb7u10 | fixed | |
| glibc (PTS) | jessie | ۲٫۱۹-۱۸+deb8u2 | vulnerable |
| jessie (security) | ۲٫۱۹-۱۸+deb8u3 | fixed | |
| stretch | ۲٫۲۱-۸ | fixed | |
| sid | ۲٫۲۱-۹ | fixed |
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| eglibc | source | (unstable) | (unfixed) | |||
| eglibc | source | squeeze | ۲٫۱۱٫۳-۴+deb6u11 | DLA-416-1 | ||
| eglibc | source | wheezy | ۲٫۱۳-۳۸+deb7u10 | DSA-3480-1 | ||
| glibc | source | (unstable) | ۲٫۲۱-۸ | |||
| glibc | source | jessie | ۲٫۱۹-۱۸+deb8u3 | DSA-3481-1 |
RHEL (Red Hat Enterprise Linux) version 5.x, 6.x and 7.x
CentOS Linux version 5.x, 6.x & 7.x
Ubuntu Linux version 10.04, 12.04 LTS
Debian Linux version 7.x
Linux Mint version 13.0
Fedora Linux version 19 or older
SUSE Linux Enterprise 11 and older (also OpenSuse Linux 11 or older versions).
Arch Linux glibc version <= 2.18-1
CISCO
Collaboration and Social Media
Cisco WebEx Node for MCS
Endpoint Clients and Client Software
Cisco Jabber Guest 10.0(2)
Cisco MMP server
Cisco NAC Agent for Mac
Cisco NAC Agent for Web
Cisco WebEx Productivity Tools
WebEx Recording Playback Client
Network Application, Service, and Acceleration
Cisco ACE 30 Application Control Engine Module
Cisco ACE 4700 Series Application Control Engine Appliances
Cisco Extensible Network Controller (XNC)
Cisco Intercloud Fabric
Cisco NAC Appliance
Cisco Nexus Data Broker (NDB)
Cisco Prime Network Service Controller (PNSC)
Network and Content Security Devices
ASA CX Context-Aware
Cisco ASA CX and Cisco Prime Security Manager
Cisco Adaptive Security Device Manager
Cisco Clean Access Manager
Cisco Content Security Management Appliance (SMA)
Cisco Intrusion Prevention System Solutions (IPS)
Cisco NAC Guest Server
Cisco Physical Access Control Gateway
Cisco Physical Access Manager
Cisco Secure ACS 5.x
Cisco Virtual Security Gateway for Microsoft Hyper-V
Network Management and Provisioning
Cisco Access Registrar Appliance
Cisco Application Networking Manager
Cisco Connected Grid Device Manager
Cisco Connected Grid Network Management System
Cisco Linear Stream Manager
Cisco MGC Node Manager (CMNM)
Cisco Multicast Manager
Cisco Prime Access Registrar Appliance
Cisco Prime Analytics
Cisco Prime Cable Provisioning
Cisco Prime Central for SPs
Cisco Prime Collaboration Assurance
Cisco Prime Home
Cisco Prime IP Express
Cisco Prime Infrastructure Standalone Plug and Play Gateway
Cisco Prime Infrastructure
Cisco Prime LAN Management Solution (LMS - Solaris)
Cisco Prime Network Registrar (CPNR) virtual appliance
Cisco Prime Network Registrar IP Address Manager (IPAM)
Cisco Prime Network
Cisco Prime Optical for SPs
Cisco Prime Performance Manager
Cisco Prime Provisioning for SPs
Cisco Prime Service Catalog Virtual Appliance
Cisco Videoscape Distribution Suite Service Manager
CiscoWorks Network Compliance Manager
Routing and Switching - Enterprise and Service Provider
Cisco ASR 9000 Series Integrated Service Module
Cisco Broadband Access Center Telco Wireless
Cisco Connected Grid Routers (CGR)
Cisco IOS-XE for ASR1k, ASR903, ISR4400, CSR1000v
Cisco IOS-XE for Catalyst 3k, 4k, AIR-CT5760, and Cisco RF Gateway 10 (RFGW-10)
Cisco IOS-XR for Cisco ASR 9000 Series Aggregation Services Routers
Cisco IOS-XR for Cisco CRS Routers
Cisco IOS-XR for Cisco XR 12000 Series Routers
Cisco IOS
Cisco MDS 9000 Series Multilayer Switches
Cisco Metro Ethernet 1200 Series Access Devices
Cisco Nexus 1000V InterCloud
Cisco Nexus 1000V Series Switches
Cisco Nexus 3000 series switches
Cisco Nexus 4000 Series Blade Switches
Cisco Nexus 5000 Series Switches
Cisco Nexus 7000
Cisco Nexus 9000 (ACI/Fabric Switch)
Cisco Nexus 9000 Series (standalone, running NxOS)
Cisco Prime Data Center Network Manager
Cisco Service Control Operating System
Cisco VPN Acceleration Engine
IOS-XR for Cisco Network Convergence System (NCS) 6000
Routing and Switching - Small Business
Cisco DPH150 Series MicroCell Solution
Unified Computing
Cisco Billing and Measurement Server 3.30
Cisco Common Crypto Module
Cisco Common Services Platform Collector
Cisco Standalone rack server CIMC
Cisco UCS ADA
Cisco UCS Director
Cisco UCS Invicta Series
Cisco Unified Computing Blade-Server CIMC
Cisco Unified Computing System E-Series Blade Server
Voice and Unified Communications Devices
Cisco 7937 IP Phone
Cisco Agent Desktop for Cisco Unified Contact Center Express
Cisco Broadband Access Center for Cable Tools Suite 4.1
Cisco Broadband Access Center for Cable Tools Suite 4.2
Cisco Desktop Collaboration Experience DX70 and DX80
Cisco Emergency Responder
Cisco Hosted Collaboration Mediation Fulfillment
Cisco IM and Presence Service (CUPS)
Cisco MediaSense
Cisco Prime Cable Provisioning Tools Suite 5.0
Cisco Prime Cable Provisioning Tools Suite 5.1
Cisco Remote Silent Monitoring
Cisco SPA525G
Cisco Unified 3900 series IP Phones
Cisco Unified 7800 series IP Phones
Cisco Unified 8961 IP Phone
Cisco Unified 9951 IP Phone
Cisco Unified 9971 IP Phone
Cisco Unified Client Services Framework
Cisco Unified Communications Domain Manager
Cisco Unified E-Mail Interaction Manager
Cisco Unified IP Conference Phone 8831 for Third-Party Call Control
Cisco Unified IP Phone 7900 Series
Cisco Unified IP Phone 8941 and 8945 (SIP)
Cisco Unified Operations Manager (CUOM)
Cisco Unified SIP Phone 3905
Cisco Unified Sip Proxy
Cisco Unified Web Interaction Manager
Cisco Unified Wireless IP Phone
Cisco Unified Workforce Optimization
Cisco Unity Connection (UC)
Cisco Unity Express
xony VIM/CCDM/CCMP
Video, Streaming, TelePresence, and Transcoding Devices
Cisco AnyRes Live (CAL)
Cisco AnyRes VOD (CAL)
Cisco Command 2000 Server (cmd2k) (RH Based)
Cisco D9824 Advanced Multi Decryption Receiver
Cisco D9854/D9854-I Advanced Program Receiver
Cisco D9858 Advanced Receiver Transcoder
Cisco D9859 Advanced Receiver Transcoder
Cisco Digital Transport Adapter Control System (DTACS)
Cisco Download Server (DLS) (Solaris)
Cisco Model D9485 DAVIC QPSK
Cisco Powerkey CAS Gateway (PCG)
Cisco Powerkey Encryption Server (PKES)
Cisco TelePresence 1310
Cisco TelePresence Conductor
Cisco TelePresence Exchange System (CTX)
Cisco TelePresence System 1000
Cisco TelePresence System 1100
Cisco TelePresence System 1300
Cisco TelePresence System 3000 Series
Cisco TelePresence System 500-32
Cisco TelePresence System 500-37
Cisco TelePresence TX 9000 Series
Cisco Transaction Encryption Device (TED)
Cisco Video Delivery System Recorder
Cisco Video Distribution Suite for Internet Streaming (VDS-IS/CDS-IS)
Cisco Video Surveillance 3000 Series IP Cameras
Cisco Video Surveillance 4000 Series High-Definition IP Cameras
Cisco Video Surveillance 4300E/4500E High-Definition IP Cameras
Cisco Video Surveillance 6000 Series IP Cameras
Cisco Video Surveillance 7000 Series IP Cameras
Cisco Video Surveillance Media Server
Cisco Video Surveillance PTZ IP Cameras
Cisco Videoscape Distribution Suite Transparent Caching
Cisco Virtual PGW 2200 Softswitch
Cloud Object Store (COS)
VDS-Recorder
VDS-TV Caching GW
VDS-TV Streamer
VDS-TV Vault
Wireless
Cisco 3G Femtocell Wireless
Cisco Mobility Services Engine (MSE)
Cisco Wireless LAN Controller (WLC)
Cisco Wireless Security Gateway Application (WSG)
Digital Life RMS 1.8.1.1 Cisco Broadband Access Center Telco Wireless 3.8.1
Small Cell factory recovery root filesystem V2.99.4 or later
Cisco Hosted Services
Cisco Cloud Services
Cisco Cloud Web Security
Cisco Cloud and Systems Management
Cisco Intelligent Automation for Cloud
Cisco Partner Supporting Service
Cisco Proactive Network Operations Center
Cisco Services Provisioning Platform (SPP)
Cisco UCS Invicta Series Autosupport Portal
Cisco Unified Services Delivery Platform (CUSDP)
Cisco Universal Small Cell 5000 Series running V3.4.2.x software
Cisco Universal Small Cell 7000 Series running V3.4.2.x software
Cisco WebEx Meeting Center
Communication/Collaboration Sizing Tool, Virtue Machine Placement Tool, Cisco Unified Communications Upgrade Readiness Assessment
Data Center Analytics Framework (DCAF) UCS Collector
Feature Analytics Service
Network Change and Configuration Management
Network Health Framework (NHF)
Network Performance Analytics (NPA)
Partner Supporting Service (PSS) 1.x
Partner Supporting Service (PSS) 2.x
Smart Net Total Care (SNTC)
Smart Net Total Care
Support Central
Vulnerable Products
| Product | Defect | Fixed Releases Availability |
|---|---|---|
| Collaboration and Social Media | ||
| Cisco WebEx Meetings Server versions 1.x | CSCuy36539 | |
| Cisco WebEx Meetings Server versions 2.x | CSCuy36539 | |
| Network Application, Service, and Acceleration | ||
| Cisco Visual Quality Experience Server | CSCuy35276 | |
| Cisco Visual Quality Experience Tools Server | CSCuy35276 | |
| Network and Content Security Devices | ||
| Cisco FireSIGHT System Software | CSCuy32284 | |
| Cisco Identity Services Engine (ISE) | CSCuy34700 | |
| Network Management and Provisioning | ||
| Cisco Prime Collaboration Deployment | CSCuy36602 | |
| Cisco Prime Data Center Network Manager (.ova and .iso installers) | CSCuy36546 | |
| Cisco Prime License Manager | CSCuy35265 | |
| Routing and Switching - Enterprise and Service Provider | ||
| Cisco ASR 5000 Series | CSCuy36531 | |
| Voice and Unified Communications Devices | ||
| Cisco Paging Server (Informacast) | CSCuy36612 | 11.5.1 (June 2016) |
| Cisco Paging Server | CSCuy36612 | 11.5.1 (June 2016) |
| Cisco Unified Communications Manager (UCM) | CSCuy32014 | |
| Cisco Unified Communications Manager Session Management Edition (SME) | CSCuy32014 | |
| Video, Streaming, TelePresence, and Transcoding Devices | ||
| Cisco DCM Series 9900-Digital Content Manager | CSCuy35251 | |
| Cisco Edge 300 Digital Media Player | CSCuy35298 | |
| Cisco Edge 340 Digital Media Player | CSCuy35299 | |
| Cisco Expressway Series | CSCuy35269 | |
| Cisco TelePresence Server 8710, 7010 | CSCuy35268 | |
| Cisco TelePresence Server on Multiparty Media 310, 320 | CSCuy35268 | |
| Cisco TelePresence Server on Virtual Machine | CSCuy35268 | |
| Cisco TelePresence Video Communication Server (VCS) | CSCuy35269 | |
| Cisco Hosted Services | ||
| Cisco WebEx Messenger Service | CSCuy36540 | |
Juniper Product Status
The following products have been confirmed to be not vulnerable to the glibc issue reported as CVE-2015-7547:
Junos OS does not use glibc and is not affected by this issue.
Note: Linux VM-based platforms (e.g. vSRX, vMX, etc.) include glibc, but do not make use of DNS client libraries during normal operation.
Junos Space
ScreenOS uses a different implementation of libc and is likely not affected by this issue. Engineering is continuing to investigate.
QFabric Director
JUNOSe
CTP and CTPView
NSM server relies on underlying OS glibc library. Contact OS vendor
SBR Carrier relies on underlying OS glibc library. Contact OS vendor
WX/WXC
Netscreen IDP
Other products are still under investigation.
