A major security vulnerability has been discovered which could potentially leave hundreds of thousands of devices, apps and services vulnerable to attacks.
The bug is found in glibc – a open-source library of code that is widely used in internet-connected devices and all versions of glibc after 2.9 are vulnerable. The vulnerability was disclosed by researchers from Google.
The researchers said they stumbled on the vulnerability when one of their SSH applications experienced an extremely serious error known as a segmentation fault each time it tried to contact a specific Internet address.
Google engineers eventually figured out that the error was caused by a buffer overflow inside glibc that made malicious code-execution attacks possible and then notified glibc maintainers.
To the surprise of the Google researchers, they soon learned that glibc maintainers had been alerted to the vulnerability last July.
They also learned that people who work for the Red Hat Linux distribution had also independently discovered the bug and were working on a fix.
“This was an amazing coincidence, and thanks to their hard work and cooperation, we were able to translate both teams’ knowledge into a comprehensive patch and regression test to protect glibc users,” the Google researchers wrote.
Google’s team details how a flaw in some commonly-used code could be exploited in a way that allows remote access to a devices – be it a computer, internet router, or other connected piece of equipment.
One particular function is domain look-up. This is when the device converts a typical web domain and finds its corresponding IP address so it can access whatever website or service is needed.
The domain look-up code in glibc contains a bug that could allow hackers to maliciously implant code within a device’s memory. From here, attacks such as remote execution – controlling the device over the internet – could take place.
However, Google said it is very hard to exploit the flaw although their engineers have worked out how. For obvious security reasons they are not making that public.
The code can also be within many of the so-called “building blocks” of the web – programming languages such as PHP and Python are affected, as well as systems used when logging in to sites or accessing email.
“It’s not a sky-is-falling scenario,” said Washington D.C-based security researcher Kenneth White.
“But it’s true there’s a very real prospect that a sizable portion of internet-facing services are at risk for hackers to crash, or worse, run remote code to attack others.”
The scale of the problem is difficult to determine because it is unclear how many devices and systems make use of the glibc code.
For instance, Google Android devices use a substitute library, Bionic , which is not vulnerable to this particular attack but hundreds of thousands of others could be, and so manufacturers are being urged to test their systems using a proof-of-concept attack developed and released on Tuesday by Google’s team.
Major systems like Windows or OS X are unaffected – but consumers need to be more concerned about about smaller connected devices.
It remains unclear why or how glibc maintainers allowed a bug of this magnitude to be introduced into their code, remain undiscovered for seven years, and then go unfixed for seven months following its report. By Google’s account, the bug was independently uncovered by at least two and possibly three separate groups who all worked to have it fixed.
Google engineers, working with security engineers at Red Hat, have released a patch to fix the problem and it is now up to manufacturers, and the community behind the Linux operating system, to issue the patch to affected software and devices as soon as possible.