“Looney Tunables” bug allows root access on Linux distros (CVE-2023-4911)
A vulnerability (CVE-2023-4911) in the GNU C Library (aka “glibc”) can be exploited by attackers to gain root privileges on many popular Linux distributions, according to Qualys researchers.
Dubbed “Looney Tunables”, CVE-2023-4911 is a buffer overflow vulnerability in the dynamic loader’s processing of the GLIBC_TUNABLES environment variable. To exploit it, attackers first need to establish access to the system.
“The GNU C Library, commonly known as glibc, is the C library in the GNU system and in most systems running the Linux kernel. It defines the system calls and other basic functionalities, such as open, malloc, printf, exit, etc., that a typical program requires,” Saeed Abbasi, product manager at Qualys’ Threat Research Unit, explained.
“The GNU C Library’s dynamic loader is a crucial component of glibc responsible for preparing and running programs. Given its role, the dynamic loader is highly security-sensitive, as its code runs with elevated privileges when a local user launches a set-user-ID or set-group-ID program.”
Qualys researchers discovered the vulnerability in glibc v2.34 manually, but they say it was also discoverable by fuzzing the vulnerable function.
They’ve detailed their research into the vulnerability’s potential for exploitation and shared that they exploited it to obtain full root privileges on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13.
They did not publish proof-of-concept exploit code, but noted that “the ease with which the buffer overflow can be transformed into a data-only attack implies that other research teams could soon produce and release exploits.”
Fixes are available
“While certain distributions like Alpine Linux are exempt due to their use of musl libc instead of glibc, many popular distributions are potentially vulnerable and could be exploited in the near future,” Abbasi noted.
By now, CVE-2023-4911 has been fixed in upstream glibc.
UPDATE (October 6, 2023, 04:20 a.m. ET):