ISN 2024-04: Libuv Vulnerability
First published 4 March 2024
CVSS 3.1: 7.3 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Summary
A security vulnerability has been found in the Libuv library used in IGEL OS. This affects the following IGEL products:
- IGEL OS 12 (only if Firefox app is installed)
- IGEL OS 11
Details
A security issue has been discovered in the uv_getaddrinfo
function in Libuv. It truncates hostnames to 256 characters before it calls getaddrinfo
. An attacker could exploit this to create payloads that are resolved to unintended IP addresses, thus bypassing security checks.
The OS 12 base system contains Libuv, but the library is only used if the Firefox app is installed.
Update Instructions
- OS 12: Update to OS 12 base system version 12.4.1 when it is available.
- OS 11: IGEL is working on an OS 11 release with an updated Libuv.
References
- CVE-2024-24806: https://www.cve.org/CVERecord?id=CVE-2024-24806