EGI SVG Advisories

Advisory-EGI-SVG-2024-10

HIGH risk glibc vulnerability

Date: 2024-05-03 Updated: 2024-06-05, 2024-06-10

A HIGH risk vulnerability has been found concerning glibc where an out-of-bounds write flaw in the ISO-2022-CN-EXT plugin for glibc’s iconv library may allow remote code execution. [R 1]

IDs AND CVSS SCORE

EGI SVG ID : EGI-SVG-2024-10

CVE ID : CVE-2024-2961

CVSS Score : 8.8 [R 1]

AFFECTED SOFTWARE AND VERSIONS

The affected version is several years old, version 2.28 [R 2] But this version is included with the common Linux versions

UPDATE 2024-06-04

This has been fixed for many Linux versions including RHEL [R 1]

ACTIONS REQUIRED/RECOMMENDED

Sites are recommended to update if a fixed version is available for the Linux version they deploy.

Until then sites are recommended to carry out the mitigation below.

MITIGATION

UPDATE 2024-06-10

Error corrected.

The mitigation would be to disable this encoding:

Check if your OS is running a vulnerable version:

# iconv -l | grep -E 'CN-?EXT'
ISO-2022-CN-EXT//
ISO2022CNEXT//

To disable it:

# cd /usr/lib64/gconv/gconv-modules.d
Comment it out from gconv-modules-extra.conf:
  #       from                    to                      module          cost
  #alias  ISO2022CNEXT//          ISO-2022-CN-EXT//
  #module ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
  #module INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1

or

# cat gconv-modules-extra.conf | grep -v -E 'CN-?EXT' > gconv-modules-extra-patched.conf
# rm gconv-modules-extra.conf

Delete the cache and regenerate it as follows:

# rm gconv-modules.cache
# iconvconfig

The location of the configuration file depends on the OS, you can find it by:

# find /usr -name gconv

STATUS OF THIS ADVISORY

TLP:CLEAR information - Unlimited distribution

https://advisories.egi.eu/Advisory-EGI-SVG-2024-10

https://advisories.egi.eu/Advisory-SVG-CVE-2024-2961

Minor updates may be made without re-distribution to the sites.

CONTACT AND OTHER INFORMATION ON SVG


This advisory is subject to the Creative Commons licence 
https://creativecommons.org/licenses/by/4.0/ and
the EGI (https://www.egi.eu/) Software Vulnerability Group 
must be credited. -----------------------------

Comments or questions should be sent to svg-rat at mailman.egi.eu

Vulnerabilities relevant for EGI can be reported at report-vulnerability at egi.eu

(see [R 99] for further details, and other information on SVG)

REFERENCES

CREDITS

SVG was alerted to this vulnerability by Barbara Krasovec