garrettmills/www
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Add cve post
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/promote/production Build is passing
Details

Browse Source
This commit is contained in:
Garrett Mills 2024-04-22 21:16:26 -05:00
parent 56da99740c
commit 402ab60e0e
2 changed files with 119 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/app/resources/assets/main-70s.css
View File

@ -801,7 +801,7 @@ section#auth h3 {
}
.post-title {
font-size: 48pt;
font-size: 36pt;
line-height: 1.5em;
}

118
src/app/resources/blog-posts/Mitigating-the-iconv-Vulnerability-for-PHP-CVE-2024-2961.md Normal file
View File

@ -0,0 +1,118 @@
---
title: "Mitigating the iconv Vulnerability for PHP (CVE-2024-2961)"
slug: Mitigating-the-iconv-Vulnerability-for-PHP-CVE-2024-2961
date: 2024-04-22 20:54:06
tags:
- devops
- linux
- webdev
- hosting
---
Recently, [CVE-2024-2961](https://www.openwall.com/lists/oss-security/2024/04/18/4) was released which identifies a buffer overflow vulnerability in GNU libc versions < 2.39 when converting charsets to certain Chinese Extended encodings.
This vulnerability affects PHP when `iconv` is used to translate request encodings to/from the affected charsets and has the potential to be wide-ranging (e.g. the latest `wordpress:apache` image has `iconv` with the vulnerable charsets enabled).
Obviously, the best mitigation is to update to a patched version of `glibc`. However, if you are unable to (or it's not available on your OS yet), you can mitigate this issue by disabling the affected charsets in `gconv`.
I had a really hard time finding information on how to check for and mitigate this issue at the OS-level (possibly because the researcher who discovered the CVE is presently _teasing_ details about the PHP exploit for his [talk at a conference](https://www.offensivecon.org/speakers/2024/charles-fol.html)... 3 weeks after the CVE was announced. 🙄)
I've collected my notes here, in case they might be useful for someone else.
## Check if your OS is vulnerable
```shell
ldd --version
```
The first line of the linker version info should include the version of glibc (either as `GLIBC` or `GNU libc`).
Example from Debian 12:
```text
ldd (Debian GLIBC 2.36-9+deb12u4) 2.36
Copyright (C) 2022 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
```
Example from Rocky Linux 9:
```text
ldd (GNU libc) 2.34
Copyright (C) 2021 Free Software Foundation, Inc.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.
```
> You can also use your package manager to check (for example, `rpm -q glibc`).
If you are using `glibc` 2.39 or older, then the `ISO-2022-CN-EXT` encodings are vulnerable for your system's `iconv` and `gconv`.
## Check for bad encodings
Check if the vulnerable encodings are enabled in `iconv`:
```shell
iconv -l | grep -E 'CN-?EXT'
```
If they are, you will see an output like:
```
ISO-2022-CN-EXT//
ISO2022CNEXT//
```
## Disable bad encodings
We can modify the `gconv-modules` configuration to disable the affected charsets:
```shell
cd /usr/lib/x86_64-linux-gnu/gconv
```
> This might be in slightly different locations for exotic systems. Try `find / -name gconv-modules`.
Disable the offending encodings in the `gconv-modules` config file. This will either be in `gconv-modules` directly, or in something like `gconv-modules.d/gconv-modules-extra.conf`:
```shell
cd gconv-modules.d
cat gconv-modules-extra.conf | grep -v -E 'CN-?EXT' > gconv-modules-extra-patched.conf
rm gconv-modules-extra.conf
cd ..
```
Remove the cache file if present:
```shell
rm gconv-modules.cache
```
> You can regenerate that cache file using [`iconvconfig(8)`](https://www.man7.org/linux/man-pages/man8/iconvconfig.8.html).
Then re-check for the vulnerable encodings:
```shell
iconv -l | grep -E 'CN-?EXT'
```
There should be no output from this command.
### Docker
For those using Docker images, here's a convenient `Dockerfile` blurb:
```dockerfile
# Disable vulnerable iconv encodings (CVE-2024-2961)
RUN cd /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.d \
&& cat gconv-modules-extra.conf | grep -v -E 'CN-?EXT' > gconv-modules-extra-patched.conf \
&& rm -f gconv-modules-extra.conf ../gconv-modules.cache \
&& iconvconfig \
&& iconv -l | grep -E 'CN-?EXT' && exit 1 || true
```
That last line contains one of my favorite Dockerfile tricks (`check-something && exit 1 || true`) -- your Docker build will fail if the vulnerable charsets are enabled.