Major Linux distributions such as Debian, Fedora, and Ubuntu are affected by a GNU C Library (glibc) vulnerability that could provide an attacker with full root privileges.
The C library present in GNU and most systems running the Linux kernel, glibc defines system calls and other functionality that a program typically requires.
The identified issue, named ‘Looney Tunables’ and tracked as CVE-2023-4911 (CVSS score of 7.8), impacts glibc’s dynamic loader, which is responsible for loading into memory the libraries that a program needs, linking them with the executable at runtime.
When performing these operations, the dynamic loader resolves symbol references, preparing everything for the program’s execution.
CVE-2023-4911 impacts the dynamic loader’s processing of GLIBC_TUNABLES environment variables (also referred to as ‘tunables’), which allow users to change the library’s behavior at runtime, by adjusting different parameters.
“The dynamic loader is extremely security sensitive, because its code runs with elevated privileges when a local user executes a set-user-ID program, a set-group-ID program, or a program with capabilities,” security firm Qualys, which identified the vulnerability, notes.
According to Qualys, the glibc dynamic loader’s processing of the tunables variables is susceptible to a buffer overflow that can be exploited to obtain full root privileges on an impacted system.
The issue was introduced in April 2021, with the release of glibc 2.34, and has been successfully tested on Debian 12 and 13, Fedora 37 and 38, and Ubuntu 22.04 and 23.04. Other Linux distributions might be impacted as well, except for Alpine Linux, which uses musl libc, instead of glibc.
The issue resides in the way the dynamic loader’s processing function sanitizes tunables. Because the function removes all dangerous tunables but keeps specific ones, supplying a specifically crafted environment variable (in the form name=name=val) results in the tunable being processed twice, overflowing the buffer.
Because the vulnerability can lead to full root privileges and is relatively easy to exploit, Qualys is not sharing its proof-of-concept (PoC) code, although it has provided an extensive technical analysis.
“Our successful exploitation, leading to full root privileges on major distributions like Fedora, Ubuntu, and Debian, highlights this vulnerability’s severity and widespread nature. Although we are withholding our exploit code for now, the ease with which the buffer overflow can be transformed into a data-only attack implies that other research teams could soon produce and release exploits,” Qualys notes.