A security flaw was recently discovered in the Linux Operating System. This flaw is present in all versions of Talari Physical and Virtual Appliances and Talari Aware.
A critical vulnerability (CVE-2015-7547) has been discovered in the GNU C library (glibc). See description at http://thehackernews.com/2016/02/glibc-linux-flaw.html:
"A highly critical vulnerability has been uncovered… that leaves nearly all Linux machines, thousands of apps and electronic devices vulnerable to hackers that can take full control over them..
The recent flaw, which is indexed as CVE-2015-7547, is a stack-based buffer overflow vulnerability in glibc's DNS client-side resolver that is used to translate human-readable domain names, like google.com, into a network IP address.
The buffer overflow flaw is triggered when the getaddrinfo() library function that performs domain-name lookups is in use, allowing hackers to remotely execute malicious code."
Talari is proposing two workarounds that will significantly reduce the risk to your network arising from Talari Appliances, Talari Aware or any vulnerable Linux machine in your network. Teneo recommend you employ one of these workarounds until Talari can release a permanent fix and until all other affected Linux-based machines in your network are patched by their respective vendors.
- Workaround #1: Limit DNS servers to trusted devices isolated to the management network. This greatly limits the possible vectors of attack by requiring an attacker have a presence inside the management network. On a Talari Appliance, the DNS servers can be configured under Manage Appliance -> Ethernet Interface Settings.
- Workaround #2: If the border firewall is sufficiently advanced and no local DNS server is available, adding rules to deny DNS responses that are likely to cause an exploit will protect a network from external attacks. DNS responses can be identified as TCP or UDP traffic source from port 53. Current recommendations are to drop UDP replies greater than 512 bytes and TCP replies greater than 1024 bytes. If the firewall is based on linux iptables and the filter module is available, the following rules may be used:
iptables -t filter -A INPUT -p udp --sport 53 -m connbytes --connbytes 512: --connbytes-dir reply --connbytes-mode bytes -j DROP
iptables -t filter -A INPUT -p tcp --sport 53 -m connbytes --connbytes 1024: --connbytes-dir reply --connbytes-mode bytes -j DROP
Talari are working on an update to Talari software which will remove the security vulnerability from Talari Appliances and Talari Aware. This fix will be available next week (the week of February 23.) The fix will require an update to the Talari OS and will require an update to APN versions prior to APN 4.4P3. In addition to the updates, a reboot of all appliances will be required in order for the fix to be activated.
What if I need help?
If you have any questions regarding this notification please don’t hesitate to reach out to us, or visit our support portal.
You can contact us on our 24 x 7 support number or mail us firstname.lastname@example.org
EMEA: +44 (0)845 299 0623
US: +1 877 836 3610
APAC: +61 1800 765 389