/plushcap/analysis/cloudflare/a-tale-of-a-dns-exploit-cve-2015-7547

A tale of a DNS exploit: CVE-2015-7547

What's this blog post about?

A buffer overflow error in GNU libc DNS stub resolver code was announced as CVE-2015-7547. This vulnerability affects any platform with recent GNU libc, including servers and personal computers. The only effective mitigation is patching the system. Limiting UDP response size to 2048 bytes or less does not work and may force legitimate queries to retry over TCP. Running a local caching DNS resolver can improve internet performance and prevent past and possibly future security vulnerabilities, but it's not sufficient to defuse this attack. An off-path attack scenario is also possible through a caching DNS resolver. The key factor to a real world non-MitM cache resolver attack is controlling the messages between the resolver and the client indirectly.

Company
Cloudflare

Date published
Feb. 29, 2016

Author(s)
Marek VavruĊĦa, Jaime Cochran

Word count
2158

Hacker News points
None found.

Language
English


By Matt Makai. 2021-2024.