Impact of the GNU C Library getaddrinfo() Buffer Overflow Vulnerability (CVE-2015-7547) on EMC/RSA Products

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

On February 16, 2016, security researchers publicly disclosed a vulnerability in the Linux glibc library, which is commonly found in Linux-based operating systems. The glibc DNS client side resolver is vulnerable to a stack-based buffer overflow when the getaddrinfo() library function is used (CVE-2015-7547). A remote attacker could create specially crafted DNS responses, which could cause the library to crash or potentially execute code with the permissions of the user running the library.

Following the disclosure of this vulnerability, we immediately initiated a review of EMC Information Infrastructure and RSA products to assess any potential impact. (more…)

Impact of the GNU glibc gethostbyname Function Buffer Overflow “GHOST” Vulnerability on EMC/RSA Products

Reeny Sondhi

Reeny Sondhi

Reeny Sondhi is Sr. Director, Product Security Engineering at EMC Corporation. She is responsible for driving the strategy and execution of EMC’s software security program including EMC’s Security Development Lifecycle, a company-wide initiative to build secure products. She also leads EMC’s common security engineering technologies and the EMC Product Security Response Center, which is responsible for managing and resolving security vulnerabilities in EMC products. Additionally, she has responsibility to lead the security certification strategy and program for EMC products. More ...

The “Ghost” vulnerability (CVE-2015-0235) in the gethostbyname functions of the GNU C Library (glib), which is commonly found in Linux based operating systems, affects applications calling this function. In some special instances, the successful exploitation of this vulnerability could allow an attacker to perform remote code execution on a targeted system. Following the release of this vulnerability, we immediately initiated a review of EMC Information Infrastructure and RSA products to assess any potential impact. (more…)

Impact of the GNU Bash ShellShock Vulnerability on EMC/RSA products

Reeny Sondhi

Reeny Sondhi

Reeny Sondhi is Sr. Director, Product Security Engineering at EMC Corporation. She is responsible for driving the strategy and execution of EMC’s software security program including EMC’s Security Development Lifecycle, a company-wide initiative to build secure products. She also leads EMC’s common security engineering technologies and the EMC Product Security Response Center, which is responsible for managing and resolving security vulnerabilities in EMC products. Additionally, she has responsibility to lead the security certification strategy and program for EMC products. More ...

The ShellShock vulnerability (CVE-2014-6271, CVE-2014-6277, CVE-2014-6278, CVE-2014-7169CVE-2014-7186 & CVE-2014-7187) affects GNU Bash that could allow an unauthenticated remote attacker to inject arbitrary commands on a targeted system. Following the release of this vulnerability, we immediately initiated a review of EMC Information Infrastructure and RSA products to assess any potential impact.

(more…)

Secure Design in the Limelight

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

The launch last week of the IEEE Center for Secure Design is an opportunity to remind the industry of the prominent role of secure design in building secure IT products.

Security engineering requires three main technical activities: Secure design, secure coding and security testing. Much of emphasis has been put by the industry on secure coding and security testing and much less on secure design. That is unfortunate. (more…)

Assessing the Security of Acquired Software: One size does not fit all!

Eric Baize

Eric Baize

Eric Baize is Senior Director of the Product Security Office at EMC Corporation. He leads the Product Security Office with company-wide responsibility for product security and supply chain assurance, covering vulnerability response handling, security development lifecycle implementation, supply chain risk management, coordination of security certifications and integration of RSA technology in EMC products and solutions. More ...

The following post was co-authored with Steve Lipner from Microsoft and originally posted on the SAFECode blog.

Customers frequently ask all software developers – including SAFECode members – how they can be confident in the security of the software they acquire. We are well aware that acquired software can introduce new vulnerabilities into IT environments and that risk managers need a method for assessing the security of the IT products they procure and the impact those products may have on the organization’s risk posture. (more…)