Patch Available for DNS Security Flaw
Talari OS 4.6 is now available for download. This OS is based on Linux Kernel 3.2.73 and specifically includes a fix for CVE-2015-7547, a critical stack-based buffer overflow vulnerability in the GNU C library (glibc). See detailed description at The Hacker News. Talari OS 4.6 resolves this vulnerability, but you must first update to APN 4.4P3 (or later) before updating to Talari OS 4.6. Visit the Talari OS 4.6 release page for more details or to download.
If you need help installing the new OS or want to better understand whether your network is vulnerable, you can contact us on our support number or mail us support@teneo.net
EMEA: +44 (0)845 299 0623
US: +1 877 836 3610
APAC: +61 1800 765 389
Workaround
If you do not wish to update your Talari Appliances to Talari OS 4.6, two workarounds are available that will significantly reduce the risk to your network arising from CVE-2015-7547. We recommend employing one of these workarounds until all Linux-based machines in your network are properly patched.
- Workaround #1: Limit DNS servers to trusted devices isolated to the management network. This greatly limits the possible vectors of attack by requiring an attacker have a presence inside the management network. On a Talari Appliance, the DNS servers can be configured under Manage Appliance -> Ethernet Interface Settings.
- Workaround #2: If the border firewall is sufficiently advanced and no local DNS server is available, adding rules to deny DNS responses that are likely to cause an exploit will protect a network from external attacks. DNS responses can be identified as TCP or UDP traffic source from port 53. Current recommendations are to drop UDP replies greater than 512 bytes and TCP replies greater than 1024 bytes. If the firewall is based on linux iptables and the filter module is available, the following rules may be used:
iptables -t filter -A INPUT -p udp --sport 53 -m connbytes --connbytes 512: --connbytes-dir reply --connbytes-mode bytes -j DROP
iptables -t filter -A INPUT -p tcp --sport 53 -m connbytes --connbytes 1024: --connbytes-dir reply --connbytes-mode bytes -j DROP
What if I need help?
If you have any questions regarding this notification please don’t hesitate to reach out to us, or visit our support portal.
You can contact us on our 24 x 7 support number or mail us support@teneo.net
EMEA: +44 (0)845 299 0623
US: +1 877 836 3610
APAC: +61 1800 765 389
Thanks
Teneo Support
Comments
0 comments
Article is closed for comments.