glibc CVE-2015-7547
Posted: Wed Feb 17, 2016 9:54 am
I'm surprised there's not been a post about this already.
For Centos 6 and 7 (not needed for 5 and 4) updated glibc and nscd rpms are already hitting the mirrors.
Now, as I understand it, a system reboot is recommended after installation as you can never be quite sure what might or might not be using the old libraries until the service is restarted.
If you can't reboot and don't want to examine the output of lsof or whatever, one of our suppliers has suggested adding the following to your firewall:
iptables -I INPUT -p udp --sport 53 -m length --length 512: -j DROP
iptables -I INPUT -p tcp --sport 53 -m length --length 1024: -j DROP
(if approrpriate) iptables -I FORWARD -p udp --sport 53 -m length --length 512: -j DROP
(if approrpriate) iptables -I FORWARD -p tcp --sport 53 -m length --length 1024: -j DROP
(similarly for ipv6 as appropriate)
They claim it will have 0 impact other than to mitigate against the vulnerability. I can't say whether this is the case or not though.
If you want to add these rules via the ASL GUI, would I be correct in saying that you'd need to add the "-m length --length 512" in the "Additional options" box? (as well as setting the source port, protocol and jump target obviously, and selecting Insert rather than append etc etc)
For Centos 6 and 7 (not needed for 5 and 4) updated glibc and nscd rpms are already hitting the mirrors.
Now, as I understand it, a system reboot is recommended after installation as you can never be quite sure what might or might not be using the old libraries until the service is restarted.
If you can't reboot and don't want to examine the output of lsof or whatever, one of our suppliers has suggested adding the following to your firewall:
iptables -I INPUT -p udp --sport 53 -m length --length 512: -j DROP
iptables -I INPUT -p tcp --sport 53 -m length --length 1024: -j DROP
(if approrpriate) iptables -I FORWARD -p udp --sport 53 -m length --length 512: -j DROP
(if approrpriate) iptables -I FORWARD -p tcp --sport 53 -m length --length 1024: -j DROP
(similarly for ipv6 as appropriate)
They claim it will have 0 impact other than to mitigate against the vulnerability. I can't say whether this is the case or not though.
If you want to add these rules via the ASL GUI, would I be correct in saying that you'd need to add the "-m length --length 512" in the "Additional options" box? (as well as setting the source port, protocol and jump target obviously, and selecting Insert rather than append etc etc)