Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bmekler
New Contributor III

CVE-2015-7547 glibc vulnerability - is FortiOS vulnerable?

Major bug in glibc affecting DNS lookups, potential remote code execution - https://access.redhat.com/security/cve/cve-2015-7547

 

Is FortiOS vulnerable, and if yes, what versions?

1 Solution
netmin
Contributor II

8 REPLIES 8
ede_pfau
Esteemed Contributor III

Before FTNT is responding (nothing to find yet), there are 2 mitigating measure one can take:

- limit DNS UDP packets to 512 bytes (discard larger packets)

- limit DNS TCP packets to 1024 bytes (discard larger packets)

 

On the fly, suggestions how to protect a FGT using these limits? A custom IPS signature?


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
bmekler
New Contributor III

How do you apply IPS signatures to traffic originating from (and responding to) Fortigate's own DNS resolver?

ede_pfau
Esteemed Contributor III

[strike]Using "local-in" policies[/strike] - CLI only. Unfortunately, this does not support UTM profiles.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
horric29

Yes I'm interested in knowing if we need a patch also.  It's a linux kernel so I'm assuming we'll need one at some point right?

denache
New Contributor III

I am testing IPS signature for CVE-2015-7547. I only enabled logging so I could do more tests.

 

config ips custom
    edit "CVE-2015-7547-UDP"
        set action block
        set comment "GlibC name resolution bug"
        set location client
        set os Linux
        set protocol DNS
        set severity critical
        set signature "F-SBID( --attack_id 8337; --name CVE-2015-7547-UDP; --protocol udp; --service DNS; --flow from_server; --src_port 53; --udp.length > 512; --rate 10,1,limit; --track DNS_DOMAIN; )"
    next
    edit "CVE-2015-7547-TCP"
        set action block
        set comment "GlibC name resolution bug"
        set location client
        set os Linux
        set protocol DNS
        set severity critical
        set signature "F-SBID( --attack_id 5308; --name CVE-2015-7547-TCP; --protocol tcp; --service DNS; --flow from_server; --src_port 53; --data_size > 1024; --rate 10,1,limit; --track DNS_DOMAIN; )"
    next
end

config ips sensor
    edit "CVE-2015-7547"
            config entries
                edit 1
                    set action pass
                    set log-packet enable
                    set rule 5308 8337
                    set status enable
                next
            end
    next
end

netmin

That seems to work on a (WAN) interface policy ... but needs still more tests...

Koby
New Contributor

netmin
Contributor II

Labels
Top Kudoed Authors