CVE-2018-18751
📋 TL;DR
CVE-2018-18751 is a double-free vulnerability in GNU gettext 0.19.8 that allows attackers to execute arbitrary code or cause denial of service by triggering memory corruption. This affects systems using gettext for internationalization support, particularly when processing malicious message catalog files. The vulnerability is exploitable remotely in certain configurations.
💻 Affected Systems
- GNU gettext
📦 What is this software?
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
Ubuntu Linux by Canonical
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data theft, or ransomware deployment.
Likely Case
Application crash causing denial of service, potentially leading to service disruption.
If Mitigated
Limited impact if proper memory protections (ASLR, DEP) are enabled and the application runs with minimal privileges.
🎯 Exploit Status
Proof-of-concept available on GitHub demonstrates the double-free condition. Exploitation requires crafting malicious message catalog files.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: gettext 0.19.8.1 and later
Vendor Advisory: https://access.redhat.com/errata/RHSA-2019:3643
Restart Required: Yes
Instructions:
1. Update gettext package using system package manager. 2. For Red Hat/CentOS: 'yum update gettext'. 3. For Debian/Ubuntu: 'apt-get update && apt-get install gettext'. 4. Recompile applications using gettext libraries. 5. Restart affected services.
🔧 Temporary Workarounds
Input Validation
allValidate and sanitize all .po/.mo files before processing with gettext utilities.
Application Sandboxing
linuxRun applications using gettext in containers or with reduced privileges.
docker run --security-opt no-new-privileges image_name
🧯 If You Can't Patch
- Disable or restrict processing of untrusted message catalog files
- Implement strict file integrity monitoring for .po/.mo files
🔍 How to Verify
Check if Vulnerable:
Check gettext version: 'gettext --version' or 'rpm -q gettext' or 'dpkg -l gettext'Check Version:
gettext --versionVerify Fix Applied:
Verify version is 0.19.8.1 or later: 'gettext --version | grep -q "0.19.8.1" && echo "Patched"'📡 Detection & Monitoring
Log Indicators:
- Segmentation fault logs from applications using gettext
- Abnormal process termination of msgfmt or related utilities
Network Indicators:
- Unusual network connections following processing of message catalog files
SIEM Query:
process_name:"msgfmt" AND (event_type:"crash" OR exit_code:"139")🔗 References
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00061.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00065.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00025.html
- https://access.redhat.com/errata/RHSA-2019:3643
- https://github.com/CCCCCrash/POCs/tree/master/Bin/Tools-gettext-0.19.8.1/doublefree
- https://github.com/CCCCCrash/POCs/tree/master/Bin/Tools-gettext-0.19.8.1/heapcorruption
- https://usn.ubuntu.com/3815-1/
- https://usn.ubuntu.com/3815-2/
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00061.html
- http://lists.opensuse.org/opensuse-security-announce/2020-08/msg00065.html
- http://lists.opensuse.org/opensuse-security-announce/2020-09/msg00025.html
- https://access.redhat.com/errata/RHSA-2019:3643
- https://github.com/CCCCCrash/POCs/tree/master/Bin/Tools-gettext-0.19.8.1/doublefree
- https://github.com/CCCCCrash/POCs/tree/master/Bin/Tools-gettext-0.19.8.1/heapcorruption
- https://usn.ubuntu.com/3815-1/
- https://usn.ubuntu.com/3815-2/
