What is the GNU glibc vulnerability?
On February 16, 2016, the maintainers of the GNU C Library (known as glibc, an open-source software library widely used in Linux systems) announced that they had released a fix for a vulnerability introduced in 2008 that allowed a buffer overflow to take place. The vulnerability (CVE-2015-7547) could allow an unauthenticated remote attacker to trigger a buffer overflow condition. This may result in a denial of service (DoS) condition or allow the attacker to execute arbitrary code on the affected device.
Who is impacted?
Theoretically, any Linux machine that is connected to the Internet could be at risk. An attacker could use this vulnerability to run malicious code on a targeted Linux system. However, research has indicated that while the attack is possible, no known exploit code that can do this is in the wild as of this posting. It is not trivial to exploit this flaw, unlike the previous flaws such as Heartbleed or Shellshock.
Major Linux distributions have already been patched to fix this vulnerability. System administrators should check if a patch is available for distributions in use within their organization.
Broadly speaking, Trend Micro also recommends that outgoing DNS traffic only be allowed to go through if they are bound for whitelisted DNS servers. A query to a malicious DNS server could be used to exploit this vulnerability; blocking queries to servers not on the whitelist would reduce the risk from this vector.
Does Trend Micro offer any protection against this vulnerability?
Fortunately, Trend Micro has some solutions that already provide protection against this threat.
Trend Micro Deep Security and Vulnerability Protection (formerly the IDF plug-in for OfficeScan) customers with the latest rules also have an additional layer of protection against this vulnerability.
Specifically, Trend Micro has released the following rules and patterns for proactive protection:
- Security Update 16-004 for Deep Security (DSRU16-004)
- Deep Packet Inspection (DPI) rule 1007456 - DNS Malformed Response Detected
- Deep Packet Inspection (DPI) rule 1007457 - Allowed DNS Resolvers
- Deep Packet Inspection (DPI) rule 1007458-glibc getaddrinfo Stack Based Buffer Overflow Vulnerability
What Trend Micro products are affected?
|Product/Version||Severity||Solution / Additional Information|
|Deep Discovery Advisor 3.0 SP1||Low||Critical Patch|
|InterScan Messaging Security Virtual Appliance 9.0||Low||Critical Patch|
|SafeSync for Enterprise 3.1||Low||Critical Patch|
What Trend Micro products are not affected?
|Advanced Reporting and Management (ARM)||1.6||End-of-Support since December 31, 2015|
|Deep Security||All versions||Deep Security is not affected by this vulnerability.|
|Deep Discovery Inspector||3.8||Glibc version of DDI is 2.5.|
|Network Virus Wall||All versions||Glibc version of NVW is 2.8.|
|Trend Micro Smart Protection Server||2.5, 2.6, 3.0||The OS of TMSPS is CentOS 5.0. Therefore, TMSPS is not affected.|
|Trend Micro Email Encryption Gateway||5.5||TMEEG 5.5 is using CentOS 5.2 with glibc-2.5-24.|
What if my product is not listed?
If the product has not reached End-of-Support, it is most likely that Trend Micro is still analyzing the vulnerability and its impact on your product. As soon as the analysis is completed, the product will be added in the list.
What if I have additional questions?
For additional inquiries, contact Trend Micro Technical Support.
More information on the GNU glibc vulnerability can be found by visiting Trend Micro’s Security Intelligence Blog at: The Linux GNU C Library Vulnerability: What It Is, How To Fix It.