Exploits Released for Linux Flaw Giving Root on Major Distros

Cyber Security Threat Summary:
Proof-of-concept exploits have already surfaced online for a high-severity flaw in GNU C Library's dynamic loader, allowing local attackers to gain root privileges on major Linux distributions. Dubbed 'Looney Tunables' and tracked as CVE-2023-4911, this security vulnerability is due to a buffer overflow weakness, and it affects default installations of Debian 12 and 13, Ubuntu 22.04 and 23.04, and Fedora 37 and 38” (Bleeping Computer, 2023).

Attackers are able to trigger the vulnerability using a maliciously crafter GLIBC_TUNABLES environment variable, that is processed by the ID[.]so dynamic loader. Through this exploit, adversaries are able to gain arbitrary code execution with root privileges when launching binaries with SUID permission.


br> Qualys’ Threat Research Unit disclosed the vulnerability earlier this week, and several other security researchers were able to publish proof-of-concept (PoC) exploit code that works on some system configurations. Of the posted PoC’s, one has been confirmed to be working against a limited number of targets. Other researchers have been posting their own CVE-2023-4911 exploits on GitHub and elsewhere, but I have yet to see confirmation that they are working.

This vulnerability presents a significant threat to Linux platforms. The exploit grants complete root access to systems running the latest releases of Linux, including Fedora, Ubuntu, and Debian. Alpine Linux distros remain unaffected by this vulnerability.

This vulnerability is expected to have widespread impacts. Qualys, who withheld their own exploit code, says the exploit can be carried out with ease, and the buffer overflow can be transformed into a data-only attack. The vulnerability puts countless systems at risk, especially given the extensive use of glibc across Linux distributions.

Suggested Correction(s):
CVE-2023-4911 has been fixed in upstream glibc. Linux distribution vendors are urging users to upgrade to a non-vulnerable version of the library: Ubuntu, RedHat, Debian, Fedora, Gentoo. While certain distributions like Alpine Linux are exempt due to their use of musl libc instead of glibc, many popular distributions are potentially vulnerable and could be exploited in the near future.

The best way to mitigate this vulnerability is through patching. However, some additional solutions do exist but will vary between vendors. If you are affected by this CVE-2023-4911, you should patch your system based on your affected distribution.

RedHat published instructions for using their SystemTap tools to detect which binaries are invoking GLIBC_TUNABLES in the environment and terminate them immediately. This solution may require the installation of additional software and repeat the process when the system is restarted.