The vulnerability was introduced in 2008 in GNU C Library, a collection of open source code that powers thousands of standalone applications and most distributions of Linux, including those distributed with routers and other types of hardware. A function known as getaddrinfo() that performs domain-name lookups contains a buffer overflow bug that allows attackers to remotely execute malicious code. It can be exploited when vulnerable devices or apps make queries to attacker-controlled domain names or domain name servers or when they're exposed to man-in-the-middle attacks where the adversary has the ability to monitor and manipulate data passing between a vulnerable device and the open Internet. All versions of glibc after 2.9 are vulnerable.
Maintainers of glibc, as the open source library is called, released an update that patches the vulnerability. Anyone responsible for Linux-based software or hardware that performs domain name lookups should install it as soon as possible. For many people running servers, patching will be a simple matter of downloading the update and installing it. But for other types of users, a fix may not be so easy. Some apps that were compiled with a vulnerable version of glibc will have to be recompiled with an updated version of the library, a process that will take time as users wait for fixes to become available from hardware manufacturers and app developers.
The widely used secure shell, sudo, and curl utilities are all known to be vulnerable, and researchers warn that the list of other affected apps or code is almost too diverse and numerous to fully enumerate. Using a proof-of-concept exploit released Tuesday, White was able to determine that the version of the Wget utility he uses to test and query Web servers was vulnerable. He said he suspects that the vulnerability extends to an almost incomprehensibly large body of software, including virtually all distributions of Linux; the Python, PHP, and Ruby on Rails programming languages; and many other things that uses Linux code to look up the numerical IP address of an Internet domain. Most Bitcoin software is reportedly vulnerable, too.
One Linux-based package that's not vulnerable is Google's Android mobile operating system. It uses a glibc substitute known as Bionic and isn't susceptible, a company representative said.