Critical Expat Vulnerabilities Fixed: Urgent Update Required
A recent discovery has highlighted significant security risks within the widely used Expat XML parsing C library. Security researcher Shang-Hung Wan identified three critical Expat vulnerabilities that could potentially lead to denial-of-service attacks or the execution of arbitrary code.
These vulnerabilities are identified in versions of libexpat before 2.6.3 and have the severity score of 9.8. Below is a detailed overview of each vulnerability.
Expat Vulnerabilities Details
In libexpat versions prior to 2.6.3, xmlparse.c failed to reject negative input lengths during the XML_ParseBuffer function call. This vulnerability allows an attacker to craft inputs that cause the Expat library to behave unpredictably, potentially leading to a denial of service or arbitrary code execution.
Another vulnerability arises from Expat’s failure to properly manage integer overflows in the dtdCopy function on 32-bit platforms. This issue, also found in libexpat before 2.6.3, allows attackers to exploit the system’s limited memory space, causing buffer overflows and leading to a denial of service or arbitrary code execution.
Similar to the previous issue, the nextScaffoldPart function in xmlparse.c failed to handle integer overflows for m_groupSize on 32-bit platforms. This flaw enables an attacker to trigger a denial of service or potentially the execution of arbitrary code
Protecting Your Systems
Given the critical nature of these vulnerabilities, system administrators and users of the Expat library must take swift action by updating to the latest available version.
Major Linux distributions such as Ubuntu and Debian have released necessary security patches to mitigate potential risks. Canonical has already released patches to address these vulnerabilities across multiple supported Ubuntu releases. These include:
- Ubuntu 24.04 LTS
- Ubuntu 20.04 LTS
- Ubuntu 18.04 ESM (Extended Security Maintenance)
- Ubuntu 16.04 ESM
- Ubuntu 14.04 ESM
For users on older Ubuntu versions such as 16.04 and 18.04, which have reached their end-of-life, Canonical’s Extended Security Maintenance (ESM) provides continued security support. However, this service is only available through an Ubuntu Pro subscription.
Alternatively, users can opt for an affordable solution, TuxCare’s Extended Lifecycle Support (ELS) which offers an additional five years of security updates for Ubuntu 16.04 and Ubuntu 18.04. The ELS service covers critical patches for the Expat library and other essential packages like the Linux kernel, OpenSSL, and Python.
The ELS team has already released patches for the above Expat vulnerabilities, and you can monitor patch releases across various Linux distributions using this CVE tracker. TuxCare currently supports CentOS 6, CentOS 7, CentOS 8, CentOS Stream 8, Ubuntu 16.04, Ubuntu 18.04, Oracle Linux 6, and Oracle Linux 7.
The Debian security team has also responded to these vulnerabilities. For users running Debian 12 (Bookworm), the vulnerabilities have been fixed in Expat version 2.5.0-1+deb12u1. Users are strongly encouraged to upgrade their Expat packages to this version or later to ensure they are protected from potential exploits.
Conclusion
The vulnerabilities identified by Shang-Hung Wan stem from Expat’s mishandling of certain function calls and integer overflows on 32-bit platforms. By updating to the latest patched version, you can significantly reduce the risk of exploitation and protect your systems from potential attacks.
For systems running outdated or end-of-life distributions, consider using TuxCare’s Extended Lifecycle Support to receive continued security updates.
Source: USN-7000-1