Security flaw affecting thousands of Linux apps and IoT devices uncovered

Flaw in glibc open source code library leaves Linux-based devices open to malware

Red Hat and Google's security team have uncovered a security flaw in a widely used computer code library that has left hundreds of thousands of devices vulnerable to malware when performing domain-name lookups.

The bug was found in the GNU C Library, colloquially known as glibc, which offers developers a collection of open source code to act as the foundation of an app and can be found in many distributions of Linux.

A buffer overflow bug, which causes programs to try to read and write more data than their allocated memory allows, was located in the getaddrinfo() function of glibc, which performs searches for IP addresses using domain name servers (DNS).

Google's security team explained that when the getaddrinfo() function tries to communicate with a web domain or server controlled by a malicious party, or if the query is intercepted by a hacker, it is possible for malicious code to be inserted into vulnerable devices or cause them to crash. Versions of glibc above 2.9 are vulnerable to the bug.

"The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used. Software using this function may be exploited with attacker-controlled domain names, attacker-controlled DNS servers, or through a man-in-the-middle attack," the team said in a blog post.

The bug has since been patched by the maintainers of glibc. But given that it was introduced in 2008 and has avoided detection until now, the number of machines and devices that may have been infected by malware making use of the bug could be vast.

This is further compounded by the fact that Linux is used as the foundation operating system for many smart and Internet of Things (IoT) devices, notably routers.

These devices are not updated as often as laptops, PCs and smartphones, so the vulnerability may be difficult to wipe out.

App and hardware developers could also be in for a nasty surprise as they may need to rework their apps with the patched version of the glibc code library.

The bug serves as a warning that, while open source tools offer an affordable and flexible way to build apps and embed functional operating systems into devices, they are also reliant on the community that maintains them.

Google explained that the bug was identified several years ago but appeared not to have been patched.

"To our surprise, we learned that the glibc maintainers had previously been alerted of the issue via their bug tracker in July 2015," the security team said.

It also highlights security concerns around the IoT and the increase of internet-connected devices.