Glibc flaw leaves Linux open to hackers – including thousands of IoT devices.
A major vulnerability in the GNU C Library could result in Linux-based IoT devices being hacked, according to security researchers.
The flaw affects all versions of the library, known as glibc, since version 2.9. According to Fermin J. Serna, staff security engineer and Kevin Stadmeyer, technical program manager at Google, a fully working exploit has been discovered but a patch has also been made available.
In a blog post, the engineers said the fault to result in remote code execution on the target device.
“We immediately began an in-depth analysis of the issue to determine whether it could be exploited, and possible fixes. We saw this as a challenge, and after some intense hacking sessions, we were able to craft a full working exploit,” the engineers said.
“The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack,” they added.
While the patch is now available, the problem could be exacerbated as Linux forms the core operating system in many IoT devices which are difficult to update in the field.
The engineers said that the flaw was found ages ago but not fixed. “To our surprise, we learned that the glibc maintainers had previously been alerted of the issue via their bug tracker in July 2015,” the engineers said.
IoT security needs work
Ross Brewer, vice president and managing director of international markets at LogRhythm, said unless the new patch is installed quickly, hackers are going to have a field day accessing confidential information via computers, mobile phones or internet routers.
“What’s worrying is that the bug has been around since 2008 and was identified last year, but overlooked as a low priority. In all honestly, it’s baffling that nothing was done about it sooner,” he said.
“Mobile and internet-connected devices are now an essential part of business life, but there’s no doubt that they have opened up new ways for hackers to get their hands on company data.”
Mark James, security specialist at ESET, told Internet of Business that hackers could implant code into the device’s memory when domain look-ups are performed.
“Once compromised remote code could be executed thus taking complete control of the device, once this happens realistically anything could happen at their command,” he said.
Meanwhile, in related news, Forbes reports that Samsung’s SmartThings devices have a number of security vulnerabilities that remain unpatched, potentially allowing criminals to enter connected homes undetected.