Major bug in glibc affecting DNS lookups, potential remote code execution - https://access.redhat.com/security/cve/cve-2015-7547
Is FortiOS vulnerable, and if yes, what versions?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Before FTNT is responding (nothing to find yet), there are 2 mitigating measure one can take:
- limit DNS UDP packets to 512 bytes (discard larger packets)
- limit DNS TCP packets to 1024 bytes (discard larger packets)
On the fly, suggestions how to protect a FGT using these limits? A custom IPS signature?
How do you apply IPS signatures to traffic originating from (and responding to) Fortigate's own DNS resolver?
[strike]Using "local-in" policies[/strike] - CLI only. Unfortunately, this does not support UTM profiles.
Yes I'm interested in knowing if we need a patch also. It's a linux kernel so I'm assuming we'll need one at some point right?
I am testing IPS signature for CVE-2015-7547. I only enabled logging so I could do more tests.
config ips custom
edit "CVE-2015-7547-UDP"
set action block
set comment "GlibC name resolution bug"
set location client
set os Linux
set protocol DNS
set severity critical
set signature "F-SBID( --attack_id 8337; --name CVE-2015-7547-UDP; --protocol udp; --service DNS; --flow from_server; --src_port 53; --udp.length > 512; --rate 10,1,limit; --track DNS_DOMAIN; )"
next
edit "CVE-2015-7547-TCP"
set action block
set comment "GlibC name resolution bug"
set location client
set os Linux
set protocol DNS
set severity critical
set signature "F-SBID( --attack_id 5308; --name CVE-2015-7547-TCP; --protocol tcp; --service DNS; --flow from_server; --src_port 53; --data_size > 1024; --rate 10,1,limit; --track DNS_DOMAIN; )"
next
end
config ips sensor
edit "CVE-2015-7547"
config entries
edit 1
set action pass
set log-packet enable
set rule 5308 8337
set status enable
next
end
next
end
That seems to work on a (WAN) interface policy ... but needs still more tests...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1696 | |
1091 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.