The vulnerability was first introduced in 2008 in GNU C Library, which is a open source code that powers thousands of standalone applications and most distributions of Linux, including those distributed with routers and other types of hardware.
A function getaddrinfo() performs domain-name lookup which contains a buffer overflow bug that allows attackers to remotely execute malicious code. It could be exploited when the device make queries to attacker-controlled domain names or domain name servers.
All versions of glibc after 2.9 are vulnerable. Every Linux-based software or hardware that performs domain name lookup should install it as soon as possible.
“It’s a big deal,” Washington, DC-based security researcher Kenn White told Ars, referring to the vulnerability. “This is a core bedrock function across Linux. Things that do domain name lookup have a real vulnerability if the attacker can answer.”
One of the Linux-based package that’s not vulnerable is Google’s Android mobile operating system. It uses a glibc substitute known as Bionic.
“This was an amazing coincidence, and thanks to their hard work and cooperation, we were able to translate both teams’ knowledge into a comprehensive patch and regression test to protect glibc users,” the Google researchers wrote.