The upstream DNS portion is a bit harder, but not impossible. You can also forge DNS responses to get this to work if I understood the info on the glibc dev list correctly.
On Thu, Feb 18, 2016 at 4:55 PM, Mike Hammett <[email protected]> wrote: > On Packet Pushers they were saying that while they didn't want to > discourage patching as patching is indeed important, the ducks that have to > line up to pull this attack off are very difficult to get lined up. > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------------------------------ > *From: *"Josh Reynolds" <[email protected]> > *To: *[email protected] > *Sent: *Thursday, February 18, 2016 4:53:17 PM > *Subject: *Re: [AFMUG] update and patch your linux servers, people! > > #oldnews > > Another thing you want to do is limit inbound dns responses to 1024 > and less on most platforms, including mikrotik. They may use uClibc > though, I am not sure. > > Most UBNT devices are not vulnerable to this, although EdgeRouter and > CloudKey were (and probably that old ubnt nvr appliance). Thankfully > they both receive patches from debian upstream, so it's just an > apt-get update ; apt-get upgrade -y away. > > On Thu, Feb 18, 2016 at 4:48 PM, Eric Kuhnke <[email protected]> > wrote: > > > http://linux.slashdot.org/story/16/02/18/157239/magnitude-of-glibc-vulnerability-coming-to-light > > > > > http://arstechnica.com/security/2016/02/extremely-severe-bug-leaves-dizzying-number-of-apps-and-devices-vulnerable/ > > > > http://www.kb.cert.org/vuls/id/457759 > > > > > > If it has glibc on it and looks up things by DNS, it needs to be patched. > > That's just about every Linux distro in existence. > >
