Researchers have discovered a critical vulnerability in the GNU C Library, glibc, which is exposing many Unix-based systems such as Linux servers to a range of security attacks. According to estimates, hundreds of thousands of devices, as well as apps utilising the GNU free software project are believed to be vulnerable. All versions of glibc starting with v2.9 are vulnerable. The patch has been made available and server admins are advised to update their system as soon as possible.
Google and Red Hat researchers said on Tuesday that they have independently found the vulnerability in the GNU C Library, a collection of open source codes that is utilised by many apps and hardware including IoT devices. The bug, which has been around since 2008, resides in a function called getaddrinfo(), which is designed to allow users to provide domain-name lookups.
The vulnerability can be exploited when an app or vulnerable device requests for some query such as translation of a Web address into its numerical IP address from a compromised domain name or server. The bug also allows an attacker to monitor and manipulate data passing between a compromised app or device to the Web. It can also allow an attacker to perform remote code execution. "No, seriously, patch glibc today," wrote security researcher Kenn White. "This is bad."
"[...] We were able determine that the issue could result in remote code execution," researchers at Google wrote in a blog post. "Our initial investigations showed that the issue affected all the versions of glibc since 2.9. You should definitely update if you are on an older version though. If the vulnerability is detected, machine owners may wish to take steps to mitigate the risk of an attack."
Computers running Windows, OS X, iOS or Android should not be affected. API Web services and other Web frameworks like PHP and Python, on the other hand, are affected. The patch for the bug is now available, and server admins are advised to install it on their machines right away.
The researchers at Google also took the opportunity to remind people that free-software projects don't always get patched in a timely manner. The bug was first reported to them last year. Users also should realise that modems and other devices can also become vulnerable, and should be handled carefully.