Protecting Against CVE-2015-7547

Posted on by dpepper | Updated:
Category: Security Bulletins | Tags:

Overview

The Google Security Team and Red Hat have discovered a flaw in the way that certain types of DNS lookups are handled on some Linux servers. By exploiting this critical vulnerability, an attacker could gain full control over the system.

Liquid Web is proactively ensuring that all Managed servers are patched, and will be notifying customers directly of the relevant details. As long as we’re able to access the server, no further action should be required on your part. If you’re not certain whether we have your server’s current password on file, you may wish to update your server password in Manage, and you also may wish to check that automatic operating system package updates are enabled in cPanel/WHM.

Managed Liquid Web customers may, depending on notification preferences, receive a cPanel notice referring to “Altered RPMs” after the patch is applied. This notification indicates that operating system packages have been updated outside of cPanel, and in this case is no cause for alarm. While the subject of the message may sound ominous, it is not related to the vulnerability itself. Rather, the notice is a result of the fact that the server’s operating system packages were upgraded. For more information, you may refer to Altered RPMs. If you need further assistance, feel free to contact Heroic Support®.

Liquid Web customers with self-managed servers will want to follow the instructions in this article to determine whether their server is vulnerable and to upgrade their operating system packages.

Impact

The code that causes the vulnerability was introduced in a 2008 update to the GNU C Library (glibc). That package contains a library against which all GNU/Linux programs are linked, and the flaw affects the version of glibc included in a number of current Linux distributions:

  • Red Hat Enterprise Linux 6 and 7
  • CentOS 6 and 7
  • Fedora 22 and 23
  • Ubuntu 12.04 LTS, 14.04 LTS, and 15.10
  • Debian 6 (squeeze), 7 (wheezy), and 8 (jessie)

Resolution

On affected servers, glibc needs to be updated and the server rebooted. Managed Liquid Web customers do not need to take any action: All managed servers will be updated and rebooted as outlined in the notification sent to customers. Only self-managed servers will need to be manually updated and rebooted.

Step #1: Check the Current glibc Version

  1. On CentOS 6 and CentOS 7 servers, run:

    yum list glibc

    That will produce output similar to:

    [root@host ~]# yum list glibc
    Installed Packages
    glibc.x86_64     2.17-106.el7_2.1     @system-updates-released
    Available Packages
    glibc.i686     2.17-106.el7_2.1     system-updates-released

    The currently installed version is listed under Installed Packages.

  2. On Fedora 22 and Fedora 23 servers, run:

    dnf list glibc

    That will produce output similar to:

    [root@host ~]# dnf list glibc
    Installed Packages
    glibc.x86_64     2.21-5.fc22     @System
    Available Packages
    glibc.i686     2.21-5.fc22     fedora

    The currently installed version is listed under Installed Packages.

  3. On Debian (6, 7, and 8) and Ubuntu (12.04 LTS, 14.04 LTS, 15.10) servers, run:

    ldd --version

    That will produce output similar to:

    [root@host ~]# ldd --version
    ldd (Ubuntu EGLIBC 2.21-0ubuntu4.1) 2.19
    Copyright (C) 2012 Free Software Foundation, Inc.
    This is free software; see the source for copying conditions. There is NO
    warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
    Written by Roland McGrath and Ulrich Drepper.

    The currently installed version in this example is 2.21-0ubuntu4.1.

Step #2: Is the Installed Version Vulnerable?

If the version returned by the command you ran above matches (or exceeds) the version listed below for your operating system, then the vulnerability already has been patched:

  • Patched versions:
  • CentOS 6: glibc-2.12-1.166.el6_7.7
  • CentOS 7: glibc-2.17-106.el7_2.4
  • Fedora 22: glibc-2.21-11.fc22
  • Fedora 23: glibc-2.22-9.fc23
  • Debian 6 (squeeze): eglibc 2.11.3-4+deb6u11
  • Debian 7 (wheezy): eglibc 2.13-38+deb7u10
  • Debian 8 (jessie): glibc 2.19-18+deb8u3
  • Ubuntu 15.10: libc6 2.21-0ubuntu4.1
  • Ubuntu 14.04 LTS: libc6 2.19-0ubuntu6.7
  • Ubuntu 12.04 LTS: libc6 2.15-0ubuntu10.13

If the version returned by the command you ran in Step 1 is lower than what’s listed above for your operating system — and you have a self-managed server — you will need to proceed to Step 3 to upgrade and reboot.

Step #3: Update glibc on a Self-Managed Server

The update only needs to be applied manually on self-managed servers. If you have a self-managed server, you can run these commands as root to update and reboot:

  1. On Debian (6, 7, and 8) and Ubuntu (12.04 LTS, 14.04 LTS, 15.10) servers:
    apt-get update
    apt-get dist-upgrade
    reboot

  2. On CentOS 6 and CentOS 7 servers:
    yum clean all
    yum update glibc
    reboot

  3. On Fedora 22 and Fedora 23 servers:
    dnf clean all
    dnf update
    reboot

Note: Please remember that following these steps, you must reboot the server in order for the update to take effect and ensure you’ve been secured. If you need assistance with this, feel free to consult Checklist Prior to Reboot and How to Reboot via Liquid Web Management Interface.