GlibC Linux Bug or Why Am I Making a New OS?
Mitigating factors for UDP include:
- A firewall that drops UDP DNS packets > 512 bytes.- A local resolver (that drops non-compliant responses).- Avoid dual A and AAAA queries (avoids buffer management error) e.g.Do not use AF_UNSPEC.- No use of `options edns0` in /etc/resolv.conf since EDNS0 allows responses larger than 512 bytes and can lead to valid DNS responses that overflow.- No use of `RES_USE_EDNS0` or `RES_USE_DNSSEC` since they can both lead to valid large EDNS0-based DNS responses that can overflow. Mitigating factors for TCP include:- Limit all replies to 1024 bytes. Mitigations that don't work:- Setting `options single-request` does not change buffer management and does not prevent the exploit.- Setting `options single-request-reopen` does not change buffer management and does not prevent the exploit.- Disabling IPv6 does not disable AAAA queries. The use of AF_UNSPEC unconditionally enables the dual query.- The use of `sysctl -w net.ipv6.conf.all.disable_ipv6=1` will not protect your system from the exploit.- Blocking IPv6 at a local or intermediate resolver does not work to prevent the exploit. The exploit payload can be delivered in A or AAAA results, it is the parallel query that triggers the buffer management flaw.NOTE: Every version of glibc after 2.9 is vulnerable.