GNU C Library DNS Response Handling Vulnerability in gethostbyaddr Functions

A vulnerability exists in the GNU C Library (glibc) versions 2.34 through 2.43, specifically within the Name Service Switch (NSS) component. The issue arises when the gethostbyaddr or gethostbyaddr_r functions are called with a nsswitch.conf configuration that directs DNS queries to the library's DNS backend. Under these conditions, a crafted response from the DNS server could lead to a misinterpretation of the DNS response sections. This flaw allows the application to incorrectly treat a non-answer section as a valid answer, potentially returning an incorrect hostname to the caller.

Impact

Exploitation of this vulnerability could result in the application returning an incorrect hostname, violating DNS specifications and leading to erroneous behavior. This could obscure reverse DNS results from intrusion detection systems, delaying threat analysis, according to the source.

Reproduction

The vulnerability can be reproduced by configuring nsswitch.conf to use the DNS backend for name resolution. Then, call the gethostbyaddr or gethostbyaddr_r functions. If the DNS server responds with a crafted packet that includes a semantically invalid T_PTR record, the library may incorrectly process the response, treating it as a valid answer when it should not be.

Remediation

A patch for this vulnerability has been developed and is available. The patch has been posted to the libc-alpha mailing list.