CVE-2015-7547 is a potential stack overflow vulnerability contained within glibc library, of which some of Incognito's Broadband Command Center services leverage at runtime. As the glibc is dynamically loaded at runtime, the recommended action to completely remove the vulnerability is to upgrade vulnerable versions of the glibc library as recommended in the above links. Incognito have successfully tested BCC services using the patched glibc library.
Impact of the vulnerability in BCC:
BCC services make use of the getaddrinfo() call, however Incognito considers the risk in exploiting this vulnerability to be very small. The use of this call is to support network communications between BCC service and 3rd party supporting services such as LDAP servers or SQL servers used in device provisioning flows. Attackers would need detailed knowledge of BCC service functionality and service API's, and would need to be able to compromise BCC server configuration to direct BCC to perform lookups on the attackers authoritative DNS. Since BCC servers normally run within highly secure zones in the network operator's back office, attackers would additionally have to compromise the operator's security measures in order to exploit the vulnerability.
While Incognito recommends that operators upgrade their systems with the patched glibc library, the risk of exploitation in BCC services is considered low for unpatched systems.Close
The Incognito Download Center enables access to our software products, support and other online services. Registered users can:
Adding your Product License Keys unlocks that product for download
Select and package product components to download or download previous versions
Get help from our team of support specialists