The Skinny on CVE-2015-7547
While the DNS exploit CVE-2015-7547 was discovered a week ago, the code containing the flaw has been in use since May, 2008. CVE-2015-7547 works by allowing arbitrary code to execute on any system reliant on glibc by way of a malformed query response. As discovered by Redhat Linux and Google, there are flaws in GNU C Library. The GNU C Library connects to DNS to resolve names. This problematic code effects all versions of glbc since 2.9 and allows for remote code execution.
We have seven signatures, the first of which was released the day after the exploit was discovered. We were able to push the beta version of the rule to our research partners immediately, and to all sensors during the normal daily signature update.
2022531 || ET EXPLOIT Possible 2015-7547 Malformed Server response || cve,2015-7547
2022542 || ET EXPLOIT Possible 2015-7547 PoC Server Response || cve,2015-7547
2022543 || ET EXPLOIT Possible CVE-2015-7547 Long Response to A lookup || cve,2015-7547
2022544 || ET EXPLOIT Possible CVE-2015-7547 Long Response to AAAA lookup || cve,2015-7547
2022545 || ET EXPLOIT Possible CVE-2015-7547 Malformed Server Response A/AAAA || cve,2015-7547
2022546 || ET EXPLOIT Possible CVE-2015-7547 A/AAAA Record Lookup Possible Forced FallBack(fb set) || cve,2015-7547
2022547 || ET EXPLOIT Possible CVE-2015-7547 Large Response to A/AAAA query || cve,2015-7547
Signature 2022547 is currently triggering on multiple customer sites, but at least for now it is in low volume. However, according to Dan Kaminsky, this is a threat that could swiftly escalate as more and more adversaries improve their attack strategies to increase the damage made possible by CVE-2015-7547. Patching this particular bug is paramount, as well as continually monitoring your system for the exploit.