ClickCease Recent glibc Vulnerabilities and How to Protect Your Linux System

Content Table

Join Our Popular Newsletter

Join 4,500+ Linux & Open Source Professionals!

2x a month. No spam.

Recent glibc Vulnerabilities and How to Protect Your Linux System

Rohan Timalsina

June 11, 2024 - TuxCare expert team

The GNU C Library, commonly known as glibc, is a critical component in many Linux distributions. It provides core functions essential for system operations. However, like any software library, it is not immune to vulnerabilities. Recently, multiple security issues have been identified in glibc, which could result in a denial of service. These vulnerabilities are introduced in glibc version 2.15 with the addition of the cache feature to Name Service Cache Daemon (nscd).

 

Overview of the glibc Vulnerabilities

 

The vulnerabilities addressed include several critical issues within the GNU C Library’s Name Service Cache Daemon (nscd), which is used to cache name service requests.

 

CVE-2024-33599

A stack-based buffer overflow vulnerability exists in the Name Service Cache Daemon (nscd) within the GNU C Library (glibc). This issue arises when the fixed-size cache of nscd becomes exhausted due to client requests. If a subsequent request for netgroup data is made, it can result in a stack-based buffer overflow. A local attacker could exploit this flaw to cause a denial of service (system crash).

 

CVE-2024-33600

A null pointer dereference vulnerability was discovered in the Name Service Cache Daemon (nscd) of the glibc. This issue occurs when nscd fails to add a “not found” netgroup response to its cache, leading to a null pointer dereference upon a subsequent client request. A local attacker could exploit this flaw to cause a denial of service (system crash).

 

CVE-2024-33601

A vulnerability has been identified in the nscd of the GNU C Library, where the netgroup cache’s xmalloc or xrealloc functions may cause the daemon to terminate upon a memory allocation failure. This issue could allow a local attacker to cause denial of service conditions.

 

CVE-2024-33602

A memory corruption vulnerability has found in the Name Service Cache Daemon (nscd) of the GNU C Library. This issue occurs when the netgroup cache incorrectly assumes that the NSS callback stores all strings in the provided buffer. If the callback does not do so, it can lead to memory corruption. A local attacker could exploit this flaw to cause a denial of service (system crash).

All these vulnerabilities are only present in the nscd binary.

 

Mitigation Measures

 

To address these vulnerabilities, it is strongly recommended to upgrade the glibc packages on your systems. Generally, performing a standard system update will apply all the necessary patches to resolve these vulnerabilities.

The Ubuntu security team has provided updates aimed at fixing these glibc vulnerabilities in different releases, including Ubuntu 24.04 LTS, Ubuntu 23.10, Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, Ubuntu 18.04 ESM, and Ubuntu 16.04 ESM. Similarly, the Debian security team has also released updates to address these vulnerabilities in Debian 11 and Debian 12.

 

Live Patching glibc Vulnerabilities

 

Conventionally, patching these vulnerabilities would involve a reboot of the system. However, with TuxCare’s LibCare, you can automate security patching for glibc without needing to reboot or schedule maintenance windows. LibCare is an add-on tool to KernelCare Enterprise, a live kernel patching solution provided by TuxCare.

Furthermore, TuxCare’s Extended Lifecycle Support (ELS) allows you to receive security updates for end-of-life Linux systems even after the EOL date. This includes vulnerability patching for glibc, the Linux kernel, OpenSSL, Python, and other various packages. Currently, the ELS is available for CentOS 6, 7, and 8, CentOS Stream 8, Oracle Linux 6, Ubuntu 16.04, and Ubuntu 18.04.

 

Conclusion

 

The identified flaws primarily lead to denial of service, which can disrupt operations and potentially expose systems to further risks if left unaddressed. Addressing glibc vulnerabilities is crucial for maintaining the reliability and security of systems. As these vulnerabilities impact various Linux distributions, you can track the availability of patches for your specific version using a TuxCare CVE tracker.

 

Discover how KernelCare Enterprise and LibCare enable organizations to apply patches without needing reboots on all popular Linux distributions.

 

Source: USN-6804-1

Summary
Recent glibc Vulnerabilities and How to Protect Your Linux System
Article Name
Recent glibc Vulnerabilities and How to Protect Your Linux System
Description
Stay informed about the latest glibc vulnerabilities and their potential impact on Linux distributions. Learn how to mitigate the risks.
Author
Publisher Name
TuxCare
Publisher Logo

Looking to automate vulnerability patching without kernel reboots, system downtime, or scheduled maintenance windows?

Learn About Live Patching with TuxCare

Become a TuxCare Guest Writer

Get started

Mail

Join

4,500

Linux & Open Source
Professionals!

Subscribe to
our newsletter