A vulnerability in Linux’s GNU C Library (glibc) could allow attackers to gain full root access to a system, according to a warning from researchers at Qualys.
Tracked as CVE-2023-6246 and described as a heap-based buffer overflow, the issue was identified in glibc’s __vsyslog_internal() function, which is called by the widely-used syslog() and vsyslog() logging functions.
An unprivileged attacker could exploit the flaw by providing an argv[0] or openlog() ident argument longer than 1024 bytes to overflow the __vsyslog_internal() buffer and overwrite the name[] field of a heap-based struct nss_module with a string of characters that contains a slash.
This action results in a shared library located in the attacker’s working directory being loaded and executed with root privileges, Qualys explains in a technical documentation of its findings.
However, Qualys points out that it takes thousands of attempts to brute force the exploit parameters (such as the length of argv[0] and other variables), which makes the vulnerability unlikely to be triggered remotely.
Even so, the severity of the bug should not be underestimated, as it could provide an attacker with full root access through crafted inputs to applications that employ the syslog() and vsyslog() logging functions.
“Although the vulnerability requires specific conditions to be exploited (such as an unusually long argv[0] or openlog() ident argument), its impact is significant due to the widespread use of the affected library,” Qualys notes.
Introduced in glibc version 2.37 in August 2022 and backported to glibc 2.36 while addressing a different issue, Qualys notes that the CVE-2023-6246 bug impacts major Linux distributions.
The vulnerability was addressed in glibc 2.38, an update that also resolves five other security defects found by the Qualys team.
Additionally, the Qualys researchers called attention to another issue in glibc, identified in the library’s qsort() function, that could lead to memory corruption and impacts all glibc versions from 1.04 (September 1992) through 2.38 (January 2024).
Related: ‘Looney Tunables’ Glibc Vulnerability Exploited in Cloud Attacks
Related: Critical SOCKS5 Vulnerability in cURL Puts Enterprise Systems at Risk
Related: One-Click GNOME Exploit Could Pose Serious Threat to Linux Systems
