SonicWall Notice Concerning CVE-2015-7547 Glibc Vulnerability
Dell SonicWALL Notice Concerning CVE-2015-7547 Glibc Vulnerability
On Tuesday February 16th, 2016, Google posted a blog outlining a vulnerability in glibc (the GNU C library) which is used in many products and leaves those products vulnerable to remote exploitation. The vulnerability, identified as CVE-2015-7547, is similar to Heartbleed and Shellshock in terms of the scope of affected systems, but is not as serious as it is significantly more difficult to exploit. Successful exploitation of the vulnerability relies on the potential victim communicating with a hostile/malicious DNS server or to be subject to a man-in-the-middle attack. Nevertheless, the vulnerability is considered to be critical by the industry since it can lead to remote exploitation of the client system.
The Dell SonicWALL threat research team successfully published an IPS signature on Tuesday, February 16th that automatically updated all customer systems running IPS (Intrusion Prevention Service) worldwide, protecting networks behind our firewalls within 12 hours of identification. Additional signature were added on Wednesday February 17th (details below)
Please note: The SonicOS (SonicWALL operating system) is not affected. However, if you do not have an active security services subscription, including IPS, on your firewall, devices on your network other than SonicWALL devices are vulnerable. It is not possible to dynamically update firewalls to block late-breaking threats which do not include security service software. Therefore, if you are unsure as to whether or not your firewall/network security solution is complete (hardware plus current security services subscription), please contact your preferred Dell SonicWALL reseller immediately to rectify.
· Details about the vulnerability and protection can be found in the SonicAlert article posted here: https://www.mysonicwall.com/sonicalert/searchresults.aspx?ev=article&id=899
· Signatures were released in two batches:
o February 16th - IPS 11465 : glibc getaddrinfo buffer overflow
o February 17th – More aggressive signatures released to provide greater coverage for the attack. These signatures were released in “Low Priority” rating in order to avoid false positives. These signatures will block DNS responses with certain characteristics that may indicate an attack and are not normal behavior. Our research team will monitor their hit rates and may upgrade them in priority so that they get included in what most systems have configured on “block” versus “detect”.
§ 11467 DNS glibc getaddrinfo buffer overflow 2
§ 11468 DNS glibc getaddrinfo buffer overflow 3
§ 11469 DNS glibc getaddrinfo buffer overflow 4
§ 11470 DNS glibc getaddrinfo buffer overflow 5
In summary, we’re providing “virtual patching” to all Dell SonicWALL customers worldwide who are running the Dell SonicWALL IPS service. This is not the first time that IPS on the firewalls has been the first line of defense against these broad attacks, Heartbleed and shellshock were good examples of this as well.
Should you have further questions or need assistance, please contact your preferred Dell SonicWALL reseller or Dell SonicWALL Support.