Security Researchers At Red Hat And Google Warn Of Serious Linux Skeleton Key Vulnerability

glibc vulnerability

If you operate a Linux-based computer system, especially a server, here's something you will want to make sure you do if you haven't done so in the past week: update. Last week, researchers at Google and Red Hat jointly announced a severe vulnerability that plagues glibc, aka: GNU C Library, which virtually every Linux install will have. If you updated within the past week, you're likely safe, but if you're not sure you patched this particular bug, run the updater again just to double-check. As usual it's always better to be safe than sorry.

“Essentially, through this flaw, attackers could remotely crash or even force the execution of malicious code on machines without the knowledge of the end user,” according to Red Hat’s security blog written by Gunnar Hellekson, Red Hat director of product management and Josh Bressers, Red Hat senior product manager for security. Red Hat rated the potential impact as Critical impact."

When the vulnerability was unveiled, it seemed as though control of the DNS server would be required to exploit it. Now, the same researchers are joined by Dan Kaminsky, Chief Scientist of White Ops and others to show that the bug can actually be exploited independently of the DNS server, making it a much more severe bug than originally believed.

Just how severe is this bug? Well-respected researcher Dan Kaminsky equates it to being like a "skeleton key of unknown strength." While there are few things that sound as cool as a "skeleton key," the implications here are downright scary. Kaminsky even likens this to being worse than Heartbleed, because that "tended to affect things we knew were on the network," whereas this "affects a universally used library at a universally used protocol."

glibc universe
Visualization of glibc's (dead center) relation to other Linux software in Ubuntu

As notable as this bug is, the upside is that it can be patched right now, and with ease. All Linux distributions worth their weight in megabytes have already updated the patched glibc to their respective repositories, so for those manning Linux servers, this is as simple as updating the system - something that should be done on a very regular basis anyway.

The big problem here, of course, is the fact that the number of affected systems is downright overwhelming. glibc is an integral part of Linux, so even home OSes are going to be impacted. Remember what we saw from Heartbleed? Months after it hit, there were still found to be hundreds of thousands of servers left vulnerable two months later. 

Either way, those who keep well in-tune with these issues are going to be the ones sporting the safest servers, and in turn are the ones keeping the companies they manage resources for safer than most others.