Lucene search

K
redhatcveRedhat.comRH:CVE-2023-4911
HistoryOct 03, 2023 - 5:24 p.m.

CVE-2023-4911

2023-10-0317:24:53
redhat.com
access.redhat.com
147
buffer overflow
gnu c library
dynamic loader
glibc_tunables
suid permission
mitigation
systemtap
secure boot

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.016

Percentile

87.4%

A buffer overflow was discovered in the GNU C Library’s dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

Mitigation

For customers who cannot update immediately and do not have Secure Boot feature enabled, the issue can be mitigated using the provided SystemTap script with the following steps. When enabled, any setuid program invoked with GLIBC_TUNABLES in the environment will be terminated immediately. To invoke the setuid program, users will then have to unset or clear the GLIBC_TUNABLES envvar, e.g. GLIBC_TUNABLES= sudo .

Note that these mitigation steps will need to be repeated if the system is rebooted.

  1. Install required systemtap packages and dependencies as per - <https://access.redhat.com/solutions/5441&gt;

  2. Create the following systemtap script, and name it stap_block_suid_tunables.stp:

    function has_tunable_string:long()
    {
    name = “GLIBC_TUNABLES”

    mm = @task(task_current())->mm;
    if (mm)
    {
    env_start = @mm(mm)->env_start;
    env_end = @mm(mm)->env_end;

       if (env_start != 0 && env_end != 0)  
         while (env_end &gt; env_start)  
           {  
             cur = user_string(env_start, "");  
             env_name = tokenize(cur, "=");  
         
             if (env_name == name && tokenize("", "") != "")  
               return 1;  
             env_start += strlen (cur) + 1  
           }  
     }  
    

    return 0;
    }

    probe process(“/lib*/ld*.so*”).function(“__tunables_init”)
    {
    atsecure = 0;
    /* Skip processing if we can’t read __libc_enable_secure, e.g. core dump
    handler (systemd-cgroups-agent and systemd-coredump). */
    try { atsecure = @var(“__libc_enable_secure”); }
    catch { printk (4, sprintf (“CVE-2023-4911: Skipped check: %s (%d)”, execname(), pid())); }
    if (atsecure && has_tunable_string ())
    raise (9);
    }

  3. Load the systemtap module into the running kernel:

     stap -g -F -m stap_block_suid_tunables stap_block_suid_tunables.stp  
    
  4. Ensure the module is loaded:

      lsmod | grep -i stap_block_suid_tunables  
    

    stap_block_suid_tunables 249856 0

  5. Once the glibc package is updated to the version containing the fix, the systemtap generated kernel module can be removed by running:

     rmmod stap_block_suid_tunables  
    

If Secure Boot is enabled on a system, the SystemTap module must be signed. An external compiling server can be used to sign the generated kernel module with a key enrolled into the kernel's keyring or starting with SystemTap 4.7 you can sign a module without a compile server. See further information here - <https://www.redhat.com/sysadmin/secure-boot-systemtap&gt;

CVSS3

7.8

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS

0.016

Percentile

87.4%