Note to self: check all my home routers for updates today. For those devices without updates, I need to research which may be running the vulnerable glibc vs. the not-affected uclibc.
I’m relieved that this issue does not affect BSD, Mac, iOS, Android or Windows but I fear for all those little Linux devices.
Originally shared by Alan Cox
Not pretty. However the bigger problem is not the obvious one. There will be patches very soon for all the usual Linux platforms (or roll your own RPM it’s not hard). However guess what many of those cheap GPL violating no source code ADSL routers that never get firmware upgrades run for their own internal use and to masquerade DNS.
And that is why source code to your infrastructure is so important. This bug just obsoleted a pile of low end crapware router and firewall boxes holding homes, businesses and government together.
You can upgrade all your servers but if that little cheapo plastic box on your network somewhere has a vulnerable post 2008 glibc and ever does DNS lookups chances are it’s the equivalent of a trapdoor into your network.
Even more fun of course – some of them regularly do poll some hardcoded DNS address so if anyone takes over that DNS record and starts serving a suitably compromised record back …