Lucene search

K
qualysblogSaeed AbbasiQUALYSBLOG:388812C7A410FFF4A78570D0F3F3F04B
HistoryOct 03, 2023 - 5:21 p.m.

CVE-2023-4911: Looney Tunables – Local Privilege Escalation in the glibc’s ld.so

2023-10-0317:21:22
Saeed Abbasi
blog.qualys.com
121
qualys threat research
buffer overflow
gnu c library
glibc_tunables
fedora
ubuntu
debian
local privilege escalation
gnu system
linux kernel
dynamic loader
security-sensitive code

EPSS

0.016

Percentile

87.4%

The Qualys Threat Research Unit (TRU) has discovered a buffer overflow vulnerability in GNU C Library's dynamic loader's processing of the GLIBC_TUNABLES environment variable. We have successfully identified and exploited this vulnerability (a local privilege escalation that grants full root privileges) on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13. It's likely that other distributions are similarly susceptible, although we've noted that Alpine Linux remains an exception due to its use of musl libc instead of glibc. This vulnerability was introduced in April 2021.

Considering the identified vulnerability in the GNU C Library's dynamic loader and its potential impact on systems, the Qualys Threat Research Unit advises security teams to prioritize patching this issue.

About GNU C Library's dynamic loader

The GNU C Library, commonly known as glibc, is the C library in the GNU system and in most systems running the Linux kernel. It defines the system calls and other basic functionalities, such as open, malloc, printf, exit, etc., that a typical program requires. The GNU C Library's dynamic loader is a crucial component of glibc responsible for preparing and running programs. When a program is initiated, this loader first examines the program to determine the shared libraries it requires. It then searches for these libraries, loads them into memory, and links them with the executable at runtime. In the process, the dynamic loader resolves symbol references, such as function and variable references, ensuring that everything is set for the program's execution. Given its role, the dynamic loader is highly security-sensitive, as its code runs with elevated privileges when a local user launches a set-user-ID or set-group-ID program.

GLIBC_TUNABLES Environment Variable:

The GLIBC_TUNABLES environment variable was introduced in glibc to offer users the ability to modify the library's behavior at runtime, eliminating the need to recompile either the application or the library. By setting GLIBC_TUNABLES, users can adjust various performance and behavior parameters, which are then applied upon application startup.

Potential Impact of Looney Tunables

The presence of a buffer overflow vulnerability in the dynamic loader's handling of the GLIBC_TUNABLES environment variable poses significant risks to numerous Linux distributions. This environment variable, intended to fine-tune and optimize applications linked with glibc, is an essential tool for developers and system administrators. Its misuse or exploitation broadly affects system performance, reliability, and security.

Our successful exploitation, leading to full root privileges on major distributions like Fedora, Ubuntu, and Debian, highlights this vulnerability's severity and widespread nature. Although we are withholding our exploit code for now, the ease with which the buffer overflow can be transformed into a data-only attack implies that other research teams could soon produce and release exploits. This could put countless systems at risk, especially given the extensive use of glibc across Linux distributions. While certain distributions like Alpine Linux are exempt due to their use of musl libc instead of glibc, many popular distributions are potentially vulnerable and could be exploited in the near future.

Disclosure Timeline

  • 2023-09-04: Advisory and exploit sent to secalert@redhat.
  • 2023-09-19: Advisory and patch sent to linux-distros@openwall.
  • 2023-10-03: Coordinated Release Date (17:00 UTC).

Technical Details

You can find the technical details of these vulnerabilities at:

<https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt&gt;

Qualys QID Coverage

Qualys is releasing the QIDs in the table below as they become available, starting with vulnsigs version VULNSIGS-2.5.881-2 and in Linux Cloud Agent manifest version LX_MANIFEST-2.5.881.2-1.

QID Title
356310 Amazon Linux Security Advisory for glibc : ALAS2023-2023-359
6000014 Debian Security Update for glibc (DSA 5514-1)
199798 Ubuntu Security Notification for GNU C Library Vulnerabilities (USN-6409-1)
284571 Fedora Security Update for glibc (FEDORA-2023-028062484e)
284570 Fedora Security Update for glibc (FEDORA-2023-2b8c11ee75)
710764 Gentoo Linux glibc Multiple Vulnerabilities (GLSA 202310-03)

Please check Qualys Vulnerability Knowledgebase for the full list of coverage for these vulnerabilities.

Conclusion

In conclusion, the recent discovery by the Qualys Threat Research Unit of a buffer overflow in the GNU C Library's dynamic loader is a pressing concern for many Linux distributions. With the capability to provide full root access on popular platforms like Fedora, Ubuntu, and Debian, it's imperative for system administrators to act swiftly. While Alpine Linux users can breathe a sigh of relief, others should prioritize patching to ensure system integrity and security.