Vulnerability in GNU glibc Affecting Nutanix Products: February 2016
Advisory ID: Nutanix-sa-003-glibc CVE-2015-7547
Last Updated: 25 February 2016
Published: 25 February 2016
On February 16, 2016 and industry-wide critical vulnerability in the GNU C library (glibc) was publicly disclosed. This Nutanix vulnerability could allow an unauthenticated remote attacker to trigger a stack-buffer overflow that may result in a denial of service (DoS) condition, or allow for the execution of arbitrary code on the device. This vulnerability relies on the ability to control a DNS zone remotely and pass malicious and improperly sized packets over tcp and udp DNS connections to machines requesting A or AAAA records from that controlled zone/domain.
Products Affected (all software versions)
Acropolis base software
Baseboard Management Controller (BMC)
As part of the Nutanix Security Development Lifecycle process, nSERT conducted a thorough investigation of the impact of the vulnerability. This research has led to the determination that CVE-2015-7547 does pose a significant risk to systems that use a DNS resolver that is either outside of their control (external to their security boundary) or otherwise unpatched and susceptible to this vulnerability.
Download the PDF via Nutanix
Please contact Secure Sense if you have any additional questions or concerns regarding this matter.
Connect with Secure Sense to protect data, your network, and systems 24/7, 365 days a year. If you have questions or want to learn more, please contact Secure Sense by calling 866-999-7506.