[sssForm]
On January 27th, 2015, buffer overflow vulnerability in glibc affecting versions 2.2 to 2.17 was released by Qualys. It affects the __nss_hostname_digits_dots() and can be triggered in a few different ways, all of which require the attacker to have a certain control over the arguments passed to the function. In their advisory, Qualys calls in particular the legacy functions gethostbyname*().
The vulnerability is assigned CVE-2015-0235 (see references below).
A10 analyzed all calls to the deprecated gethostbyname*() functions, as well as the underlying culprit __nss_hostname_digits_dots(), in our codebase. It appears the use of those functions is very limited and only constrained to components reading user-supplied configuration files/options; thus, in the unlikely event of successful exploitation, a user, who already has administrative privileges, may be able to crash the configuration process or execute arbitrary code. Since the user would require administrative access to do that no privilege escalation could occur and crashing the system would be equivalent to that system user issuing the shutdown command.
Nevertheless, engineering is already in the process of upgrading the software to include unaffected versions of the glibc library. The patches in which this will be fixed are summarized in the “Software Updates” section. For timelines, please refer to the A10 support web site.
Also, if we discover any risks for particular software trains, we will issue special patches.
In addition to core OS code, A10 appliances offer the ability to execute custom health check scripts. It is possible that those health checks invoke some of the legacy functions with data supplied of less trusted entity. We cannot assess this scenario since we do not have access to, nor support, those customer-created custom scripts—but we want to warn customers to investigate this potential issue.
Since the only possible way to pass user-controlled data to the device is through the configuration mechanism, it is recommended that customers evaluate if some automated processes are allowing untrusted data (namely IP addresses) to be included in the configuration files.
In the case of custom health check scripts the customer needs to do an assessment and decide the best way to mitigate if necessary
Software updates resolving this potential vulnerability will be published at the following URL when available: https://www.a10networks.com/support/axseries/software-downloads#CVE-2015-0235
The following table summarizes update versions.
|
Vulnerable Release |
Resolved Release |
|
3.0.0-TPS-P2-SP17 |
3.0.0-TPS-P2-SP18 |
|
3.1.0-SP1 |
3.1.1 |
|
3.1.0-P1 |
3.1.1 |
|
2.9.1-P2-SP26 |
3.0.0-TPS-P2-SP18 |
|
2.6.1-GR1-P14 |
2.6.1-GR1-P14-SP1 |
|
2.7.0-P6 |
2.7.0-P7 |
|
2.7.1-P6 |
2.7.1-GR1 |
|
2.7.2-P4 |
2.7.2-P5 |
|
2.6.6-GR1-P5 |
2.6.6-GR1-P6 |
|
2.8.0-P4 |
2.8.0-P5 |
|
2.8.1-P2 |
2.8.1-P3 |
|
2.8.2-P2 |
2.8.2-P3 |
|
4.0.0 |
4.0.1 |
Affected Platforms: ADC, CGN, TPS, HVA, a Galaxy
Affected Software Versions: 2.6.1-GR1-X, 2.7.X, 2.6.6-GR1-x, 2.8.x, TPS 2.9.1, TPS 3.x.x.
| Vulnerability ID | Vulnerability Description |
|---|
| Ref # | General Link |
|---|
| Revision | Date | Description |
|---|---|---|
| 1.0 | February 2, 2015 |
In summary of updates table 2.6.1-GR1-P15 replaced with 2.6.1-GR1-P14-SP1. |
| 2.0 | February 10, 2015 |
Updated first paragraph of section “Details as Pertaining to A10 Software and Equipment”. |