Google, Red Hat discover critical DNS security flaw that enables malware to infect entire internet

Share this…

Google and security firm Red Hat have discovered a critical security flaw in the Internet’s Domain Name System (DNS) that affects a library in a universally used protocol. This means an attacker could use it to infect almost everything on the entire internet. With the flawed code spread far and wide, it will likely take years of effort to patch the bug.

Google engineers and Red Hat researchers both independently discovered the DNS bug within the GNU C standard library (glibc) called CVE-2015-7547, and then worked together to create a patch. The security vulnerability works by tricking browsers into looking up suspicious domains, which causes servers to reply with DNS names that are far too long, thus causing a buffer overflow in the victim’s software.

The buffer overflow would then make it possible for an attacker to remotely execute code and take over the computer, and they could perform this exact same attack on machines all over the world, as the code containing the flaw has been in use since May 2008 and affected all versions of glibc since version 2.9.

Google, Red Hat discover critical DNS security flaw that enables malware to infect entire internet

Flaw can affect almost all parts of internet infrastructure

To understand how damaging this flaw could be, security researcher Dan Kaminsky explains on his blog that it is far worse than the Heartbleed OpenSSL bug or ShellshockLinux Bash and Mac OS X bug, which infected things connected to a network, rather than everything that makes up the internet, such as network tools and even software.

The reason it is such a big problem is that most Internet software is built on Linux, and it is already known that if an attacker were to infiltrate an enterprise’s network, for example, the attacker would then be able to easily take over all the systems running Linux.

In the same fashion, in order to connect to the internet, Linux uses the Gnc C standard library to connect to DNS to resolve domain names to IP addresses, and therefore the attacker would be able to capitalise on this.

The last DNS flaw took 10 years to fix

“It’s problematic that, a decade after the last DNS flaw that took a decade to fix, we have another one. It’s time we discover and deploy architectural mitigations for these sorts of flaws with more assurance than technologies like ASLR can provide,” Kaminsky writes.

“The hard truth is that if this code was written in JavaScript, it wouldn’t have been vulnerable. We can do better than that. We need to develop and fund the infrastructure, both technical and organisational, that defends and maintains the foundations of the global economy.”

On the plus side, although there are millions of DNS caches across the internet, no researchers have yet to be able to get the glibc DNS bug to work through caches, and therefore, Kaminsky says that only “some networks are going to be vulnerable to some cache traversal attacks sometimes”.

However, he says that while this might not be an immediate problem, if this flaw is not patched soon, it could become a much bigger problem a year or two down the line.