F5 Networks BIG-IP : glibc vulnerability (K16365)
High Nessus Plugin ID 119731
SynopsisThe remote device is missing a vendor-supplied security patch.
DescriptionThe nss_dns implementation of getnetbyname in GNU C Library (aka glibc) before 2.21, when the DNS backend in the Name Service Switch configuration is enabled, allows remote attackers to cause a denial of service (infinite loop) by sending a positive answer while a network name is being process. (CVE-2014-9402)
This vulnerability can only be exploited if you explicitly enable DNS for networks in the Name Service Switch Configuration file ( /etc/nsswitch.conf ). By default, the BIG-IP system does not have DNS enabled for networks in the Name Service Switch configuration and is not vulnerable. An attacker with local access and knowledge of how to make the glibc function trigger an exploit may be able to cause a denial of service (DoS).
SolutionUpgrade to one of the non-vulnerable versions listed in the F5 Solution K16365.