Security glibc iconv module CVE-2024-2961 vulnerability mitigation fix

eva2000 · Apr 26, 2024

glibc iconv CVE-2024-2961 vulnerability

The CVE-2024-2961 issue involves a vulnerability in the software library, glibc, which could potentially allow unauthorized actions on a computer if exploited. This vulnerability is associated with the way text encoding conversions are handled, specifically affecting certain character sets used in text files.

CVE-2024-2961 is a vulnerability found in the GNU C Library (glibc), particularly in the iconv module, which is responsible for converting text between different character encodings. The flaw is specific to the handling of the ISO-2022-CN-EXT character encoding, which could be exploited to execute arbitrary code or disrupt services by manipulating the conversion process to cause buffer overflows or other unexpected behaviors.

For users of Centmin Mod, updates have been made in versions 124.00stable and 130.00beta01 to address this vulnerability. A new script, /usr/local/src/centminmod/tools/iconv-fixes.sh, has been introduced. You can manually run this script after executing cmupdate to obtain it, or it will automatically apply when you run cmupdate command and then run and exit the centmin.sh menu after an update. This proactive step ensures your system is safeguarded against potential exploits related to this issue.

EL7 OS example shell script run

This iconv command and grep filter checks if ISO-2022-CN-EXT character encoding exists in iconv. If it doesn't exist, the command would return an empty result instead of the 2 lines which are loaded by default.
Code (Text):
iconv -l | grep -E 'CN-?EXT'
ISO-2022-CN-EXT//
ISO2022CNEXT//
manually ran iconv-fixes.sh script from /usr/local/src/centminmod/tools directory
Code (Text):
./iconv-fixes.sh
iconv CVE-2024-2961 mitigation fix for: /usr/lib64/gconv/gconv-modules
Backup of /usr/lib64/gconv/gconv-modules created at /usr/lib64/gconv/gconv-modules.20240425-213935.
Before modification:
alias   ISO2022CNEXT//          ISO-2022-CN-EXT//
module  ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
module  INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1
Modifications applied to /usr/lib64/gconv/gconv-modules.
iconv cache regenerated.
After modification:
#alias  ISO2022CNEXT//          ISO-2022-CN-EXT//
#module ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
#module INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1
Configuration file not found at /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf.
silent mode with -s flag doesn't return any output now
Code (Text):
./iconv-fixes.sh -s
Verify that it's fixed by running below command again, should return an empty result now.
Code (Text):
iconv -l | grep -E 'CN-?EXT'
Code (Text):
cat /root/centminlogs/iconv_fix_20240425-214150.log
iconv CVE-2024-2961 mitigation fix for: /usr/lib64/gconv/gconv-modules
Backup of /usr/lib64/gconv/gconv-modules created at /usr/lib64/gconv/gconv-modules.20240425-214150.
Before modification:
alias   ISO2022CNEXT//          ISO-2022-CN-EXT//
module  ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
module  INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1
Modifications applied to /usr/lib64/gconv/gconv-modules.
iconv cache regenerated.
After modification:
#alias  ISO2022CNEXT//          ISO-2022-CN-EXT//
#module ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
#module INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1
Configuration file not found at /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf.
Verify that it's fixed by running below command again, should return an empty result now.
Code (Text):
iconv -l | grep -E 'CN-?EXT'
EL8+ OS example shell script run

This iconv command and grep filter checks if ISO-2022-CN-EXT character encoding exists in iconv. If it doesn't exist, the command would return an empty result instead of the 2 lines which are loaded by default.
Code (Text):
iconv -l | grep -E 'CN-?EXT'
ISO-2022-CN-EXT//
ISO2022CNEXT//
manually ran iconv-fixes.sh script from /usr/local/src/centminmod/tools directory
Code (Text):
./iconv-fixes.sh                                                                      
No vulnerable charset lines found in /usr/lib64/gconv/gconv-modules, no action required.
iconv CVE-2024-2961 mitigation fix for: /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf
Backup of /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf created at /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf.20240425-163503.
Before modification:
alias   ISO2022CNEXT//          ISO-2022-CN-EXT//
module  ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
module  INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1
Modifications applied to /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf.
iconv cache regenerated.
After modification:
#alias  ISO2022CNEXT//          ISO-2022-CN-EXT//
#module ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
#module INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1
silent mode with -s flag doesn't return any output now
Code (Text):
./iconv-fixes.sh -s
Verify that it's fixed by running below command again, should return an empty result now.
Code (Text):
iconv -l | grep -E 'CN-?EXT'
Code (Text):
cat /root/centminlogs/iconv_fix_20240425-163724.log
No vulnerable charset lines found in /usr/lib64/gconv/gconv-modules, no action required.
iconv CVE-2024-2961 mitigation fix for: /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf
Backup of /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf created at /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf.20240425-163724.
Before modification:
alias   ISO2022CNEXT//          ISO-2022-CN-EXT//
module  ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
module  INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1
Modifications applied to /usr/lib64/gconv/gconv-modules.d/gconv-modules-extra.conf.
iconv cache regenerated.
After modification:
#alias  ISO2022CNEXT//          ISO-2022-CN-EXT//
#module ISO-2022-CN-EXT//       INTERNAL                ISO-2022-CN-EXT 1
#module INTERNAL                ISO-2022-CN-EXT//       ISO-2022-CN-EXT 1
Verify that it's fixed by running below command again, should return an empty result now.
Code (Text):
iconv -l | grep -E 'CN-?EXT'

eva2000 · Apr 26, 2024

While not a PHP security bug, php folks have addressed this glibc iconv security vulnerability at PHP: Hypertext Preprocessor

Recently, a bug in glibc version 2.39 and older (CVE-2024-2961) was uncovered where a buffer overflow in character set conversions to the ISO-2022-CN-EXT character set can result in remote code execution.

This specific buffer overflow in glibc is exploitable through PHP, which exposes the iconv functionality of glibc to do character set conversions via the iconv extension. Although the bug is exploitable in the context of the PHP Engine, the bug is not in PHP. It is also not directly exploitable remotely.

The bug is exploitable, if and only if, the PHP application calls iconv functions or filters with user-supplied character sets.

Applications are not vulnerable if:

Glibc security updates from the distribution have been installed

Or the iconv extension is not loaded

Or the vulnerable character set has been removed from gconv-modules-extra.conf

Or the application passes only specifically allowed character sets to iconv.

Moreover, when using a user-supplied character set, it is good practice for applications to accept only specific charsets that have been explicitly allowed by the application. One example of how this can be done is by using an allow-list and the array_search() function to check the encoding before passing it to iconv. For example: array_search($charset, $allowed_list, true)

There are numerous reports online with titles like "Mitigating the iconv Vulnerability for PHP (CVE-2024-2961)" or "PHP Under Attack". These titles are misleading as this is not a bug in PHP itself.

If your PHP application is vulnerable, we first recommend to check if your Linux distribution has already published patched variants of glibc. Debian, CentOS, and others, have already done so, and please upgrade as soon as possible.

Once an update is available in glibc, updating that package on your Linux machine will be enough to alleviate the issue. You do not need to update PHP, as glibc is a dynamically linked library.

If your Linux distribution has not published a patched version of glibc, there is no fix for this issue. However, there exists a workaround described in GLIBC Vulnerability on Servers Serving PHP which explains a way on how to remove the problematic character set from glibc. Perform this procedure for every gconv-modules-extra.conf file that is available on your system.

Once an update is available in glibc, updating that package on your Linux machine will be enough to alleviate the issue. You do not need to update PHP, as glibc is a dynamically linked library.

PHP users on Windows are not affected.

There will therefore also not be a new version of PHP for this vulnerability.
Click to expand...

Log in / Register

Forums

Join the community today

Security glibc iconv module CVE-2024-2961 vulnerability mitigation fix

eva2000 Administrator Staff Member

glibc iconv CVE-2024-2961 vulnerability

EL7 OS example shell script run

EL8+ OS example shell script run

eva2000 Administrator Staff Member

.

Log in / Register

Useful Searches

Join the community today

Security glibc iconv module CVE-2024-2961 vulnerability mitigation fix

eva2000 Administrator Staff Member

glibc iconv CVE-2024-2961 vulnerability

EL7 OS example shell script run

EL8+ OS example shell script run

eva2000 Administrator Staff Member

.