A serious Linux vulnerability reverberated through the open source community this week, prompting major vendors like Cisco Systems to issue security alerts while experts attempted to determine the extent of the compromise and how best to fix it.
Meanwhile, a key open-source stakeholder stressed that the vulnerability raises new questions about the security of emerging Linux platforms like applications containers.
The vulnerability in the GNU C open source library, or glibc, is thought to affect most Linux distributions and thousands of applications. According to reports, the focus of the vulnerability is a Linux function that performs domain-name lookups.
“The vulnerability could allow an unauthenticated, remote attacker to trigger a buffer overflow condition that may result in a denial of service (DoS) condition or allow the attacker to execute arbitrary code on the affected device,” according to Cisco Systems (NASDAQ: CSCO).
The Linux vulnerability prompted Cisco to issue a product security advisory on Thursday (Feb. 18) containing a lengthy list of affected products. The priority on the advisory was designated as “High.”
The vulnerability could be exploited when affected applications query domain names controlled by hackers. So-called man-in-the-middle attacks give hackers access to data flowing beyond corporate firewalls to open networks.
Maintainers of the open source library released a patch shortly after the glibc vulnerability was disclosed. The patch targets Linux-based systems that look up domain names, a critical function across the Linux ecosystem. Downloading and installing the update is seen as a fairly straightforward process for those running Linux-based hardware, but it could take longer for hardware makers to develop a bug fix.
Google and Red Hat engineers uncovered the glibc vulnerability. According to Red Hat (NYSE: RHT), a key Linux stakeholder, “through this flaw, attackers could remotely crash or even force the execution of malicious code on machines without the knowledge of the end user.”
In a blog post, Red Hat engineers said the glibc vulnerability raises another issue as Linux makes inroads into enterprise IT infrastructure: How will emerging Linux-based applications be secured?
“Who’s fixing containers?” Red Hat executives Josh Bressers and Gunnar Hellekson asked in their post. They noted that many Linux container vendors provide only security scanners to spot vulnerabilities like glibc. “But these vendors aren’t actually in control of the containers that their users are deploying, let alone the underlying operating system powering these container deployments.
“This means that while they are offering the tools for you to find these problems, when it comes to actual fixes, they may not have the expertise, capabilities or the ownership to actually fix the problem,” asserted Bressers, Red Hat’s senior product manager for security, and Hellekson, director of product management for Red Hat Enterprise Linux.
“Container [vulnerability] scanners are a paper tiger,” they concluded. Hence, Red Hat along with Docker, CoreOS and other container vendors have begun including security features like container registries and other access controls along with brute-force encryption.
The sheer breadth of the glibc vulnerability prompted at least one open source proponent to wonder how entrenched it may be in the Linux infrastructure. Tweeted CoreOS CEO Alex Polvi, whose startup offers an encrypted container platform: “Does the glibc vulnerability have a brand name yet?”