Updating Systems for glibc DNS Vulnerability and Workaround

This post explains how to update your servers and how you can use iptables as workaround to fix DNS vulnerability found in glibc (CVE-2015-7547).

By now all good sysadmins should know that a new DNS vulnerability has been found and if you didn't then just read this blog post by Google's researchers.

I did update the Debian/Ubuntu servers with the tipical commands:

$ sudo apt-get update
$ sudo apt-get upgrade

and the CentOS/RedHat ones with:

$ sudo yum clean all
$ sudo yum update
$ sudo systemctl daemon-reexe

last command is to avoid to reboot your system.

Currently, I don't work with any Suse servers but in case you need to, this is the command:

# zypper up

 

Of course I also wanted to patch my Fedora but after running the usual command:

$ sudo yum update

I notice that glibc wasn't updated yet, ... uhmm I suppose I have to wait a little bit for the patch meanwhile I'd like to be protected, and this is the workaround to get you covered by using iptables.

$ sudo iptables -I INPUT -p udp --sport 53 -m length --length 511:65535 -j DROP
$ sudo iptables -I INPUT -p udp --dport 53 -m length --length 511:65535 -j DROP

to check that rules are inserted correctly you can use:

$ sudo iptables -L -nv|grep 53

 

                    Danilo