CVE-2024-2961: 
Bottlerocket vulnerability analysis and mitigation

The iconv() function in the GNU C Library (glibc) versions 2.39 and older contains a buffer overflow vulnerability (CVE-2024-2961) discovered by Charles Fol. The vulnerability allows an attacker to overflow the output buffer by up to 4 bytes when converting strings to the ISO-2022-CN-EXT character set (GLIBC Advisory, NVD).

The vulnerability exists in the ISO-2022-CN-EXT charset conversion code where escape sequences are used to indicate character set changes. While the SOdesignation has proper bounds checks, neither SS2designation nor SS3designation have them, allowing a write overflow of 1, 2, or 3 bytes with fixed values: '$+I', '$+J', '$+K', '$+L', '$+M', or '$*H'. The bug was introduced in 2000 and has been present for 24 years (Ambionics Blog).

When successfully exploited, this vulnerability can lead to application crashes or memory corruption. In PHP applications, it can be leveraged to achieve remote code execution through various attack vectors including file read vulnerabilities and direct iconv() calls. The vulnerability has been demonstrated to be particularly effective against PHP applications, where it can be used to compromise the PHP engine (Openwall).

The vulnerability has been fixed in GNU C Library version 2.40 and backported to earlier versions. Users should upgrade to patched versions of glibc. Multiple Linux distributions have released security updates including Fedora, Debian, and others (Debian Advisory, Fedora Update).

The security community has shown significant interest in this vulnerability due to its age and impact. The researcher presented detailed findings at OffensiveCon 2024, demonstrating how the vulnerability could be exploited in PHP applications. The discovery has led to broader discussions about character set conversion security and PHP application security (Openwall).