Meep meep! and Thufferin’ Thuccotash! It must be Wabbit Season in vulnerability management – a critical buffer overflow vulnerability dubbed “Looney Tuneables” is being actively exploited (likely by varmints) in GNU/Linux Operating Systems, so  ¡Andale! ¡Andale! Time to get patching! Full details below:

Background & Context

GNU/Linux is a subset of Linux distributions which use a combination of the Linux kernel along with GNU software such as the GNU C Library (glibc).

The GNU C Library, commonly known as glibc, is the GNU Project’s implementation of the C standard library. It is a wrapper around the system calls of the Linux kernel for application use. Despite its name, it now also directly supports C++ (and, indirectly, other programming languages). The GNU C Library project provides the core libraries for the GNU system, as well as many systems that use Linux as the kernel. These libraries provide critical APIs including ISO C11, POSIX.1-2008, BSD, OS-specific APIs and more. These APIs include such foundational facilities as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, exit, and more.

Vulnerability Summary

The GNU C Library’s dynamic loader uses the GLIBC_TUNABLES environment variable to allow the user to specify certain “tunable” configuration values when the program is run. The dynamic loader is extremely security sensitive, because its code runs with elevated privileges when a local user executes a set-user-ID program, a set-group-ID program, or a program with capabilities.

A buffer overflow vulnerability was discovered in the GNU C Library’s dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. A buffer overflow condition exists when a product attempts to put more data in a buffer than it can hold, or when it attempts to put data in a memory area outside of the boundaries of a buffer. That extra data overflows into adjacent memory locations and corrupts or overwrites the data in those locations.

Because the vulnerable environment variable controls “tunable” configuration values, the vulnerability has been dubbed “Looney Tunables”.

Impact If Exploited

Exploitation of CVE-2023-4911 could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to get arbitrary execution and return a shell. If the binary being loaded is running with root privileges (such as a SetUID program), then the resulting shell will also have root (superuser) privileges.

This vulnerability was introduced in April 2021 (glibc 2.34) but remained undiscovered by security researchers until September 2023. Public exploits have been published in the wild since at least October 6, 2023. The vulnerability has been reported by the CISA (America’s Cyber Defense Agency) to be known to be currently actively exploited in the wild and at scale as of 2023-11-21. Prioritisation should therefore be given to remediation in any impacted environment.

Affected Product Versions

• Fedora Linux 37 and 38
• Ubuntu Linux 22.04 and 23.04
• Debian Linux 12 and 13
• Amazon Linux
• Gentoo Linux
• Redhat / CentOS Linux

Other GNU Linux distributions and some network hardware based on Linux kernels are probably also vulnerable and exploitable (one notable exception is Alpine Linux, which uses musl libc, not the glibc).

This vulnerability has existed since its introduction in April 2021, putting a significant number of systems at risk.

Indicators of Compromise

• Because many Proof of Concepts (POCs) are invoking the su binary (though most SetUID binaries would work), some detections for su brute force attacks will trigger when this exploit is run.
• If you have a system that is configured to log environment variables, this would be very easy to detect. However, it is not common to configure systems in this way, as secrets are often stored in environment variables, and you wouldn’t want to log them.
• Another way to identify this attack is to look for crashing SetUID binaries, especially if it happens a lot within a short period of time. These events can be seen in /var/log/syslog

RedHat published instructions (https://access.redhat.com/security/cve/cve-2023-4911) for using their SystemTap tools to detect which binaries are invoking GLIBC_TUNABLES in the environment and terminate them immediately.

Remediation

Official Fix & Remediation Guidance

This product impacts multiple vendor products that make use of the GNU project’s glibc library. Customers are advised to contact their specific software vendor for patch availability.

With the capability to provide full root access on popular platforms like Fedora, Ubuntu, and Debian, it’s imperative for system administrators to act swiftly.

NOTE: Remediation of this vulnerability by patching to a specific version indicated may not be sufficient to secure the product against further vulnerabilities discovered in later versions, subsequent to the publication of this guidance. Unless contra-indicated, customers are therefore advised to always upgrade to the latest version of the product available.

References:

Summary Information

• http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html
• http://seclists.org/fulldisclosure/2023/Oct/11
• https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt

Proof of Concept (PoC) Exploits

• https://github.com/RickdeJager/CVE-2023-4911
• https://www.hackthebox.com/blog/exploiting-the-looney-tunables-vulnerability-cve-2023-4911
• https://twitter.com/bl4sty/status/1710327408182673518?ref_src=twsrc%5Etfw

Vendor-Specific References:

• https://access.redhat.com/errata/RHSA-2023:5453
• https://access.redhat.com/errata/RHSA-2023:5454
• https://access.redhat.com/errata/RHSA-2023:5455
• https://access.redhat.com/errata/RHSA-2023:5476
• https://access.redhat.com/security/cve/CVE-2023-4911
• https://bugzilla.redhat.com/show_bug.cgi?id=2238352
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/
• https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/
• https://security.gentoo.org/glsa/202310-03
• https://security.netapp.com/advisory/ntap-20231013-0006/
• https://www.debian.org/security/2023/dsa-5514

Category: Buffer Overflow

Detection

AppCheck has added a plugin to detect the flaw that will run as part of your standard scans.

About AppCheck

AppCheck is a software security vendor based in the UK, offering a leading security scanning platform that automates the discovery of security flaws within organisations websites, applications, network, and cloud infrastructure. AppCheck are authorized by the Common Vulnerabilities and Exposures (CVE) Program as a CVE Numbering Authority (CNA).