Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bmekler
New Contributor III

CVE-2015-7547 glibc vulnerability - is FortiOS vulnerable?

Major bug in glibc affecting DNS lookups, potential remote code execution - https://access.redhat.com/security/cve/cve-2015-7547

 

Is FortiOS vulnerable, and if yes, what versions?

1 Solution
netmin
Contributor II

8 REPLIES 8
ede_pfau
SuperUser
SuperUser

Before FTNT is responding (nothing to find yet), there are 2 mitigating measure one can take:

- limit DNS UDP packets to 512 bytes (discard larger packets)

- limit DNS TCP packets to 1024 bytes (discard larger packets)

 

On the fly, suggestions how to protect a FGT using these limits? A custom IPS signature?

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
bmekler
New Contributor III

How do you apply IPS signatures to traffic originating from (and responding to) Fortigate's own DNS resolver?

ede_pfau

[strike]Using "local-in" policies[/strike] - CLI only. Unfortunately, this does not support UTM profiles.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
horric29

Yes I'm interested in knowing if we need a patch also.  It's a linux kernel so I'm assuming we'll need one at some point right?

denache
New Contributor III

I am testing IPS signature for CVE-2015-7547. I only enabled logging so I could do more tests.

 

config ips custom
    edit "CVE-2015-7547-UDP"
        set action block
        set comment "GlibC name resolution bug"
        set location client
        set os Linux
        set protocol DNS
        set severity critical
        set signature "F-SBID( --attack_id 8337; --name CVE-2015-7547-UDP; --protocol udp; --service DNS; --flow from_server; --src_port 53; --udp.length > 512; --rate 10,1,limit; --track DNS_DOMAIN; )"
    next
    edit "CVE-2015-7547-TCP"
        set action block
        set comment "GlibC name resolution bug"
        set location client
        set os Linux
        set protocol DNS
        set severity critical
        set signature "F-SBID( --attack_id 5308; --name CVE-2015-7547-TCP; --protocol tcp; --service DNS; --flow from_server; --src_port 53; --data_size > 1024; --rate 10,1,limit; --track DNS_DOMAIN; )"
    next
end

config ips sensor
    edit "CVE-2015-7547"
            config entries
                edit 1
                    set action pass
                    set log-packet enable
                    set rule 5308 8337
                    set status enable
                next
            end
    next
end

netmin

That seems to work on a (WAN) interface policy ... but needs still more tests...

Koby
New Contributor

netmin
Contributor II

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors