CVE-2015-7547, glibc vulnerability; its impact on Cisco products and our mitigation solutions

Posted by John Marrett on Feb 19, 2016 12:16:06 PM

 CVE vulnerability - stack8 solution

 

The Vulnerability 

On Tuesday, February 16th, Google's security team announced a significant vulnerability in glibc . The vulnerability relates to the handling of DNS packets, and many Cisco systems are vulnerable to it if an attacker can cause an affected device to perform a DNS lookup against an attacker-controlled DNS server. As many services (ssh, some web servers, mail servers) do perform these requests in an externally controllable fashion, the risk and exposure of this vulnerability are extremely significant.

Cisco released their advisory for this issue on the 18th. Because of the extensive use of Linux in newer switching and routing products, UC servers, and security and management appliances, the potential scope of the issue is vast. Cisco is presently still in the process of qualifying products to determine if and how they are affected.

Here is an example of how the most common attack vector works. The attacker connects to a service (Mail, Video Conferencing, SSH, Web) that performs a DNS lookup, this could be a reverse lookup of the connecting service, it could also be a forward lookup triggered by the details of the request and protocol. The attacker returns hostile DNS traffic that then impacts the client device:


CVE-2015-7547-diagram-1.png

 

Cisco Products Most at Risk 

The products most at risk to this vulnerability are those that are most exposed to potential attackers. In most enterprise environments this constitutes first external users, then internal users. In this blog post, we'll first address edge devices, discuss general mitigation techniques and finally highlight some information on IPS solutions.

At the enterprise, with the edge devices in Cisco's product suite, our expectation is to find firewalls and border routers, as well as Expressway. In most common configurations, we don't expect the firewalls and border routers to be vulnerable. These devices are rarely configured to make use of DNS servers. As the risk is caused by DNS resolution, a product that does not have a DNS resolver configured should not be affected by the issue. DNS inspection does not, to our knowledge, make use of the affected glibc code. Most ASA devices and edge firewalls are not configured to resolve DNS. Traditional IOS is not affected. If you have a real need to use DNS services on these devices, there are still mitigation methods available to you, we are in the process of developing edge and DNS server based configurations to mitigate these issues, however, they presently have a significant impact on DNS functionality. We plan to continue update the Stack8 blog with more details on these techniques as well as their impact.

 

ASA
For an ASA to be vulnerable, the dns domain lookup command must specify an interface and a dns server group must be configured.  Here's an example of a vulnerable configuration:

dns domain-lookup outside
dns server-group DefaultDNS

name-server 8.8.8.8 8.8.4.4

[Mitigation

We recommend first validating if the DNS server is actually used; look for objects referencing a fqdn on devices running ASA 8.3 and newer, if it isn't, then the best course of action is to remove the dns domain lookup command. If this isn't possible please see the subsequent sections on mitigation below.                                                                                                                                                                                                                                     

IOS XE
Border routers running IOS XE (e.g. ASR 1k) may also be vulnerable to this issue. Look for references to the ip name-server command:

ip domain-lookup
ip name-server 8.8.8.8 8.8.4.4

Mitigation 
By default, a router will also perform broadcast DNS lookups if no DNS server is specified. This can be disabled using the "no ip domain lookup" command. If your device is actively making use of DNS and this functionality cannot be disabled then please see the subsequent sections on mitigation below.

 

IOS XR
Border routers running IOS XR (e.g. ASR 9k) may also be vulnerable to this issue. Again it is not common to configure these devices with a DNS server.  Look for the presence of the following command configuring a DNS server.

domain name-server 8.8.8.8 8.8.4.4

Mitigation
You can completely disable DNS resolution on IOS XR using the domain lookup disable command:

domain lookup disable

 If you can’t disable DNS then please see the subsequent sections on mitigation below. ≈ 

 

Expressway and other Products
Expressway is one of the most at-risk devices because it's core functionality, unlike most other edge products, is highly dependent on DNS. At present, there is no clear statement on the level of risk for this product, however, we believe it to be vulnerable as it is definitely a Linux-based appliance. A large number of Cisco's other products, particularly in the UC, Management (Prime) and Security space are also Linux based and likely to be affected to some degree.

 

Network Level Mitigation

Edge Mitigation
As the vulnerability can only be exploited by larger packets, the following configurations should block traffic that uses UDP packets larger than 512 bytes and TCP packets larger than 1024. It is possible to configure border devices to drop this traffic. Be aware that this could have an impact on DNS performance as well as CPU load on devices that are not presently configured for inspection. Extreme caution is required while making these configuration changes and assessing their impact. Unfortunately, this change can block substantial amounts of valid DNS traffic.  The following rules will need to be carefully tested before implementation to ensure that there is no operational impact in your environment. We leave it to the readers discretion to decide specifically how to balance level of risk and service impact in their environment.

Blocking Large DNS Packets

ASA
Based on the default policy map of:

policy-map type inspect dns preset_dns_map
parameters
   message-length maximum client auto
   message-length maximum 512
policy-map global_policy
class inspection_default
   inspect dns preset_dns_map

We will make the following changes:

policy-map type inspect dns preset_dns_map
parameters
   no message-length maximum client auto

Unfortunately, this change only impacts UDP and not TCP DNS traffic, as such it is not a complete solution to blocking potentially hostile traffic. Please let us know if you're aware of another method in the comments and we'll update the post.

IOS
This policy-map will drop DNS traffic exceeding 512 bytes of udp or 1024 bytes of tcp for specific hosts mentioned in the glibc-block-tcp-traffic-acl and glibc-block-udp-traffic-acl ACLs.

ip access-list extended glibc-block-tcp-traffic-acl
permit tcp any eq domian host 192.168.1.2
ip access-list extended glibc-block-udp-traffic-acl
permit udp any eq domain host 192.168.1.2
 
class-map match-all glibc-udp-traffic-class
match access-group name glibc-block-udp-traffic-acl
match packet length min 513
class-map match-all glibc-tcp-traffic-class
match access-group name glibc-block-tcp-traffic-aclmatch packet length min 1025
match packet length min 1025
 
policy-map glibc-traffic-policy
class glibc-udp-traffic-class

   police 8000 conform-action drop
class glibc-tcp-traffic-class
   police 8000 conform-action drop
class class-default
 
interface gi0/1
service-policy output glibc-traffic-policy

Name Server Reconfiguration
There are configuration changes that can be made to DNS servers that reduce the size of DNS requests. One change that has a very substantial impact on DNS query size is disabling DNSSEC. This does increase the potential security impact of a MITM attacker but it also allows you to complete most DNS queries with much smaller packets. Here are the configuration changes required to address this issue on BIND and Active Directory, similar changes should be possible on other platforms.

BIND:
Adding the following to your named.conf to disable DNSSEC and EDNS:

dnssec-validation no;
edns no;

http://linux.die.net/man/5/named.conf

AD
Run the following commands and restart the DNS service in order to disable DNSSEC and EDNS

dnscmd /enableednsprobes 0
dnscmd /enablednssec 0

 And restart the DNS service.

https://technet.microsoft.com/en-us/library/cc772069.aspx

 

IPS Mitigation 

Cisco Sourcefire / Snort
There are currently some snort rules available for this threat, they are already included in Sourcefire 2016-02-18 ruleset update.
 
 
Palo Alto
Palo-Alto has implemented detection for exploitation of this vulnerability in emergency update 560, signature id 38898, we recommend changing the action from the default of alert to drop or reset both.

 

If you’re interested in ongoing support or project-based support; we would love to talk to you about your environment and your specific needs. 

Do not miss out receive expert tips and insights straight to your inbox!

Subscribe to our blog today!

 

Topics: Security, Network & Security Insights, Network

Don’t miss out. Expert advice straight to your inbox!

Insightful tips, troubleshooting and solutions for your everyday Unified Communications challenges from our team of experts. You can look forward to:

  • Weekly UC tips;
  • Cisco Unified Communications insights;
  • UCCX - Contact Center insights;
  • Network and Security insights;
  • Cisco Release notes and Product reviews.
Join us for free live demo