Linux iconv RCE - CVE-2024-2961

On May 27th 2024, an exploit for a critical security flaw in Linux was made public (CVE-2024-2961), which makes it easier to hack into popular PHP applications. We believe we will soon see specific ecommerce attacks using this technique, so we recommend to verify that your infrastructure is up to date.

Update August 27: We are now seeing stores getting hacked using this technique.

The flaw is present in the iconv functionality of glibc. Most Linux distros have published fixed glibc packages in the last few weeks, but we observed that not all of our customers have upgraded yet.

To check whether you are currently vulnerable, you can run this code:

curl -sO https://sansec.io/downloads/cve-2024-2961.c &&
gcc cve-2024-2961.c -o poc &&
./poc

If you don’t have gcc on your production servers, you can also use our precompiled test:

curl -sO https://sansec.io/downloads/linux-amd64/cve-2024-2961 &&
chmod 700 cve-2024-2961 &&
./cve-2024-2961

If you are vulnerable, make sure to upgrade to the latest glibc version immediately. It is also strongly recommended to enable automatic security upgrades. See your Linux distro documentation for further instructions.

If you use managed hosting, urge your hosting company to upgrade their systems.