"Looney Tunables Vulnerability" in glibc

As published by:
"SANS Institute
11200 Rockville Pike, Suite 200, North Bethesda, MD, 20852"

Quote:

Looney Tunables Vulnerability Affects Most Linux Distributions (October 3 & 4, 2023) A buffer overflow vulnerability in GNU C Library's (glibc) dynamic loader affects nearly all Linux distributions. The vulnerability (CVE-2023-4911) was detected by researchers at Qualys; it can be exploited to attain full root privileges. The flaw iwas introduced in glibc 2.34 in commit 2ed18ci in April 2021. Debian, Ubuntu, Fedora, and Gentoo have released updates to address the issue. Editor's Note [Ullrich] "Just" a privilege escalation, but one that is easy to exploit and affects most Linux distributions in use right now. Luckily, patches are easily available. Patch, reboot and move on :) [Neely] The issue is a buffer overflow can be caused during ld.so's dynamic parsing of the environment variable GLIBC_TUNABLES. The researchers were able to successfully exploit the vulnerability to obtain root privileges on the default installations of Fedora 37 & 38, Ubuntu 22.04 & 23.04, and Debian 12 & 13. RedHat has provided a mitigation using a SystemTap script, a kernel extension, which terminates any setuid program invoked with GLIBC_TUNABLES in the environment. Note that RHEL 8.4 and older are not affected. [snip]