Community discussions

MikroTik App
 
User avatar
indnti
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 86
Joined: Thu Nov 09, 2006 11:53 am

gilbc buffer overflow bug

Fri Feb 19, 2016 1:10 am

Arstechnica writes that "researchers have discovered a potentially catastrophic flaw in one of the Internet's core building blocks that leaves hundreds or thousands of apps and hardware devices vulnerable to attacks that can take complete control over them."
http://arstechnica.com/security/2016/02 ... ulnerable/

Does this vulnerability affect router OS ?
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: gilbc buffer overflow bug

Fri Feb 19, 2016 3:42 am

I wondered that too - I'm almost certain that it is affected - glibc is a very fundamental library for Linux, but it's possible that RouterOS doesn't use the affected routine(s). It will be interesting to see.
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1286
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: gilbc buffer overflow bug

Fri Feb 19, 2016 5:05 am

if I understand correctly, the code is questioned is used during DNS lookups. The Linux kernel is dependent on glibc, so I would bet that it is vulnerable. I'm curious to see how this plays out.
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: gilbc buffer overflow bug

Fri Feb 19, 2016 5:15 am

The Linux kernel is dependent on glibc, so I would bet that it is vulnerable. I'm curious to see how this plays out.
Does the Linux kernel code use glibc? I thought it was more of a system-level library (like win32.dll for instance) that almost every application on the system has hooks into. Obviously, on a system that uses the system's central libraries, it's enough to just patch the library and be done, but of course this doesn't rule out statically-linked applications, or apps that ship with their own version of glibc.so (don't know how prevalent that is)

I've done a little reading, and apparently, many router vendors use a more compact library than glibc for embedded systems, so these platforms aren't affected. I don't know if Mikrotik is such a system or not - waiting for Normis et. al.
 
IntrusDave
Forum Guru
Forum Guru
Posts: 1286
Joined: Fri May 09, 2014 4:36 am
Location: Rancho Cucamonga, CA

Re: gilbc buffer overflow bug

Fri Feb 19, 2016 5:21 am

While the kernel itself does not have the glibc code, Linux in general depends on it.

Who is online

Users browsing this forum: Batterio, DanMos79, dredex, intania, jhbarrantes, popecix and 74 guests