Vulnerability in GNU glibc Affecting Nutanix Products: February 2016

26 Feb
Company, Industry, News, Partners

Advisory ID:        Nutanix-sa-003-glibc     CVE-2015-7547
Last Updated:     25 February 2016
Published:           25 February 2016
Version:               1.0

SA03-CVSSv3

On February 16, 2016 and industry-wide critical vulnerability in the GNU C library (glibc) was publicly disclosed. This Nutanix vulnerability could allow an unauthenticated remote attacker to trigger a stack-buffer overflow that may result in a denial of service (DoS) condition, or allow for the execution of arbitrary code on the device. This vulnerability relies on the ability to control a DNS zone remotely and pass malicious and improperly sized packets over tcp and udp DNS connections to machines requesting A or AAAA records from that controlled zone/domain.

Products Affected (all software versions)

Acropolis base software
Acropolis Hypervisor
Baseboard Management Controller (BMC)
Community Edition
Foundation
Nutanix OpenStack
Prism Central

Details:

As part of the Nutanix Security Development Lifecycle process, nSERT conducted a thorough investigation of the impact of the vulnerability. This research has led to the determination that CVE-2015-7547 does pose a significant risk to systems that use a DNS resolver that is either outside of their control (external to their security boundary) or otherwise unpatched and susceptible to this vulnerability.

Source:

This vulnerability was publicly disclosed by Red Hat and Google on February 16th 2016. Details around its CVSS Severity and metrics can be found via CVE-2016-7547.

Download the PDF via Nutanix 

Please contact Secure Sense if you have any additional questions or concerns regarding this matter.

Connect with Secure Sense to protect data, your network, and systems 24/7, 365 days a year. If you have questions or want to learn more, please contact Secure Sense by calling 866-999-7506.

Follow us on LinkedIn and Twitter  for current company and industry news.