Feeds

*Nix security pandemic – major zlib/libz vuln

It's inside the walls, under the rug, in the ventilator shafts...

  • alert
  • submit to reddit

Intelligent flash storage arrays

A flaw in the zlib/libz data compression/decompression libraries could enable an attacker to mount a denial of service attack against any Linux or AIX firewall, database server, mail or Web server. It's also possible that arbitrary code could be run on a remote machine.

Because these shared libraries are used by hundreds of packages on numerous platforms, the bug is on a par with the DHCP, SNMP and Sun vulnerabilities recently reported.

The problem here is a stuff-up in a decompression routine which can corrupt the internal data structures of malloc by a double call to the free() function (double-free), discovered by Matthias Clasen. This enables memory space to be cleared twice, and can crash virtually any program.

At the moment there are no known exploits circulating, but of course it's only a matter of time before there will be.

There is no workaround, but most if not all vendors have fixes. Unfortunately, this will apply only to the library on a given system. Apps that link to it dynamically will of course be safe to run after patching, but there are hundreds of apps and services which link statically to or contain implementations of the old code, and these will of course have to be fixed individually.

The Linux kernel also uses the compression library, in the ppp layer and the freeswan IPSec kernel module.

Other apps/services which contain the old code include:

gcc 3.0
gpg
rsync
cvs
rrdtool
freeamp
Netscape (fix in the works)
ssh
vnc
XFree86

A number of these packages (except Netscape) will have been rebuilt either to link dynamically or with their own code updated, but this varies from vendor to vendor. Check with your vendor for the appropriate patches. Once they're installed, it will be necessary to recompile your kernel (if you have the relevant update package) or update the relevant modules. Any apps you built using the old code will have to be recompiled. Generally speaking, you should substitute apps which link dynamically to zlib/libz for ones that link statically or are based on the old code.

Be sure to test all patches thoroughly before integrating them into critical systems.

The repaired zlib version 1.1.4 can be downloaded from zlib.org. CERT has a bulletin with a list of currently-known vulnerable systems, but the list of unknowns is still quite large. However, CERT has proven to be fastidious about updating their advisories as new information becomes available, so do check back regularly.

We'll update this item as soon as we get better information. Data is a bit sketchy at the moment, and we've found some contradictory details in the various vendors' bulletins. ®

Internet Security Threat Report 2014

More from The Register

next story
BOFH: WHERE did this 'fax-enabled' printer UPGRADE come from?
Don't worry about that cable, it's part of the config
Azure TITSUP caused by INFINITE LOOP
Fat fingered geo-block kept Aussies in the dark
You think the CLOUD's insecure? It's BETTER than UK.GOV's DATA CENTRES
We don't even know where some of them ARE – Maude
Want to STUFF Facebook with blatant ADVERTISING? Fine! But you must PAY
Pony up or push off, Zuck tells social marketeers
Yahoo! blames! MONSTER! email! OUTAGE! on! CUT! CABLE! bungle!
Weekend woe for BT as telco struggles to restore service
Oi, Europe! Tell US feds to GTFO of our servers, say Microsoft and pals
By writing a really angry letter about how it's harming our cloud business, ta
prev story

Whitepapers

Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Reducing the cost and complexity of web vulnerability management
How using vulnerability assessments to identify exploitable weaknesses and take corrective action can reduce the risk of hackers finding your site and attacking it.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.