Google, Red
Hat discover critical DNS security flaw that enables malware to infect the entire Internet
February 24, 2016 11:58 GMT
Google and Red Hat engineers have
discovered a crucial security flaw in the internet's infrastructure that would
enable attackers to cripple the entire internetiStock
Google
and security firm Red Hat have discovered a critical security flaw in the
Internet's Domain Name System (DNS) that affects a library in a universally
used protocol. This means an attacker could use it to infect almost everything
on the entire internet. With the flawed code spread far and wide, it will
likely take years of effort to patch the bug.
Google engineers
and Red Hat researchers both independently discovered the DNS bug within the
GNU C standard library (glibc) called CVE-2015-7547, and then worked together
to create a patch. The
security vulnerability works by tricking browsers into looking up suspicious
domains, which causes servers to reply with DNS names that are far too long, thus
causing a buffer overflow in the victim's software.
The
buffer overflow would then make it possible for an attacker to remotely execute
code and take over the computer, and they could perform this exact same attack
on machines all over the world, as the code containing the flaw has been in use
since May 2008 and affected all versions of glibc since version 2.9.
Flaw
can affect almost all parts of internet infrastructure
To understand how damaging this flaw
could be, security researcher Dan Kaminsky explains on his blog that
it is far worse than the Heartbleed OpenSSL bug or Shellshock Linux
Bash and Mac OS X bug, which infected things connected to a network, rather
than everything that makes up the internet, such as network tools and even
software.
The
reason it is such a big problem is that most Internet software is built on
Linux, and it is already known that if an attacker were to infiltrate an
enterprise's network, for example, the attacker would then be able to easily
take over all the systems running Linux.
In the same fashion, in order to
connect to the internet, Linux uses the Gnc C standard library to connect to
DNS to resolve domain names to IP addresses, and therefore the attacker would
be able to capitalise on this.
The
last DNS flaw took 10 years to fix
"It's problematic that, a
decade after the last DNS flaw that took a
decade to fix, we have another one. It's time we discover and deploy
architectural mitigations for these sorts of flaws with more assurance than
technologies like ASLR can provide," Kaminsky writes.
"The
hard truth is that if this code was written in JavaScript, it wouldn't have
been vulnerable. We can do better than that. We need to develop and fund the
infrastructure, both technical and organisational, that defends and maintains
the foundations of the global economy."
On
the plus side, although there are millions of DNS caches across the internet,
no researchers have yet to be able to get the glibc DNS bug to work through
caches, and therefore, Kaminsky says that only "some networks are going to
be vulnerable to some cache traversal attacks sometimes".
However,
he says that while this might not be an immediate problem, if this flaw is not
patched soon, it could become a much bigger problem a year or two down the
line.
No comments:
Post a Comment