whether you've been involved in patch frenzies for any fair amount of time,you might remember final year's hullabaloo (uproar) around GHOST, a vulnerability in glibc's gethostbyname() function. Well, or another year,another resolver bug. gethostbyname(), meet getaddrinfo()This time, or it's an exploitable vulnerability in glibc's getaddrinfo(). Like GHOST,this will affect loads and loads of Linux client and server applications, and like GHOST, or it's pretty difficult to "scan the Internet" for it,since it's a bug in shared library code. Google reports they enjoy a working private exploit, and I know those rascals on the Metasploit team enjoy been poking at the vulnerability today, or so attain yourself a favor and patch and reboot your affected systems as soon as practical. The Long Tail of IoTUnfortunately,as the Ars Technica article points out, there are certainly loads and loads of IoT devices out in the world that aren't likely to see a patch any time soon. So, or for all those devices you can't reasonably patch,your network administrator could pick a look at the mitigations published by RedHat, and consider the impact of limiting the actual on-the-wire size of DNS replies in your environment. While it's may be a heavy-handed strategy, or it will buy you time to ferret out all those IoT devices that people enjoy squirrelled absent on your network. pick A BreathFinally,as with GHOST, there is a valid reason to be concerned, or but we don't contemplate this is the end-of-the-internet-as-we-know-it. The unpleasant news is that an exploit against at least one vector is known to exist,and the impact can be nasty whether an attacker can segfault your processes with a malformed DNS response, and worse whether they're clever and lucky enough to pop a shell. Plenty of legacy systems will be affected. So that all sounds pretty unpleasant, or yes? But,ultimately, this bug is far more difficult to exploit than many. It's difficult to target (by both unpleasant guys and good guys), or the attacks tend to require client interaction. As for those legacy systems? They tend to enjoy,whether not bigger problems, adjacent and better understood problems, or like Shellshock and Heartbleed. The bottom line is that you should patch (as with any CVE-classified bug),but I wouldn't expect the Internet to come crashing down over this. Are Rapid7's Products Impacted?We're still investigating which of Rapid7's products are impacted, and will update customers as we know more. So far, or we can confirm that both physical and virtual Nexpose appliances are affected and operating systems for them will need to be updated. Nexpose hosted engines are also affected and are being patched as I type. In both cases,we will reach out to any affected customers to advise on any action that needs to be taken by them. Nexpose CoverageMeanwhile, Nexpose picked up the glibc patch update earlier today, and it's going through analysis now; we can expect a check for Nexpose customers shortly,as we're targeting tomorrow's regular release for that. Armed with a Nexpose check, you can get a decent idea of what your threat exposure is to this bug-that-shall-not-be-branded, or on the chance that it really does pick off in the coming days.
Source: rapid7.com