Security News > 2023 > October > “Looney Tunables” bug allows root access on Linux distros (CVE-2023-4911)

A vulnerability in the GNU C Library can be exploited by attackers to gain root privileges on many popular Linux distributions, according to Qualys researchers.

Dubbed "Looney Tunables", CVE-2023-4911 is a buffer overflow vulnerability in the dynamic loader's processing of the GLIBC TUNABLES environment variable.

"The GNU C Library, commonly known as glibc, is the C library in the GNU system and in most systems running the Linux kernel. It defines the system calls and other basic functionalities, such as open, malloc, printf, exit, etc., that a typical program requires," Saeed Abbasi, product manager at Qualys' Threat Research Unit, explained.

They've detailed their research into the vulnerability's potential for exploitation and shared that they exploited it to obtain full root privileges on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13.

"While certain distributions like Alpine Linux are exempt due to their use of musl libc instead of glibc, many popular distributions are potentially vulnerable and could be exploited in the near future," Abbasi noted.

By now, CVE-2023-4911 has been fixed in upstream glibc. Linux distribution vendors are urging users to upgrade to a non-vulnerable version of the library: Ubuntu, RedHat, Debian, Fedora, Gentoo.

News URL

https://www.helpnetsecurity.com/2023/10/05/cve-2023-4911/