Menu
Meep meep! and Thufferin’ Thuccotash! It must be Wabbit Season in vulnerability management – a critical buffer overflow vulnerability dubbed “Looney Tuneables” is being actively exploited (likely by varmints) in GNU/Linux Operating Systems, so ¡Andale! ¡Andale! Time to get patching! Full details below:
GNU/Linux is a subset of Linux distributions which use a combination of the Linux kernel along with GNU software such as the GNU C Library (glibc).
The GNU C Library, commonly known as glibc, is the GNU Project’s implementation of the C standard library. It is a wrapper around the system calls of the Linux kernel for application use. Despite its name, it now also directly supports C++ (and, indirectly, other programming languages). The GNU C Library project provides the core libraries for the GNU system, as well as many systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, exit, and more.
The GNU C Library’s dynamic loader uses the GLIBC_TUNABLES environment variable to allow the user to specify certain “tunable” configuration values when the program is run. The dynamic loader is extremely security sensitive, because its code runs with elevated privileges when a local user executes a set-user-ID program, a set-group-ID program, or a program with capabilities.
A buffer overflow vulnerability was discovered in the GNU C Library’s dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. A buffer overflow condition exists when a product attempts to put more data in a buffer than it can hold, or when it attempts to put data in a memory area outside of the boundaries of a buffer. That extra data overflows into adjacent memory locations and corrupts or overwrites the data in those locations.
Because the vulnerable environment variable controls “tunable” configuration values, the vulnerability has been dubbed “Looney Tunables”.
Exploitation of CVE-2023-4911 could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to get arbitrary execution and return a shell. If the binary being loaded is running with root privileges (such as a SetUID program), then the resulting shell will also have root (superuser) privileges.
This vulnerability was introduced in April 2021 (glibc 2.34) but remained undiscovered by security researchers until September 2023. Public exploits have been published in the wild since at least October 6, 2023. The vulnerability has been reported by the CISA (America’s Cyber Defense Agency) to be known to be currently actively exploited in the wild and at scale as of 2023-11-21. Prioritisation should therefore be given to remediation in any impacted environment.
Other GNU Linux distributions and some network hardware based on Linux kernels are probably also vulnerable and exploitable (one notable exception is Alpine Linux, which uses musl libc, not the glibc).
This vulnerability has existed since its introduction in April 2021, putting a significant number of systems at risk.
RedHat published instructions (https://access.redhat.com/security/cve/cve-2023-4911) for using their SystemTap tools to detect which binaries are invoking GLIBC_TUNABLES in the environment and terminate them immediately.
This product impacts multiple vendor products that make use of the GNU project’s glibc library. Customers are advised to contact their specific software vendor for patch availability.
With the capability to provide full root access on popular platforms like Fedora, Ubuntu, and Debian, it’s imperative for system administrators to act swiftly.
NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.
References:
Summary Information
Proof of Concept (PoC) Exploits
Vendor-Specific References:
Category: Buffer Overflow
AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).
No software to download or install.
Contact us or call us 0113 887 8380
AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network and cloud infrastructure. AppCheck are authorized by te Common Vulnerabilities and Exposures (CVE) Program aas a CVE Numbering Authority (CNA)
