Researchers from Qualys have identified vulnerability in Linux distributions such as Debian, Fedora, and Ubuntu, which are affected by a GNU C Library vulnerability that could provide an attacker with full root privileges.
The high vulnerability dubbed as Looney Tunables tracked as CVE-2023-4911 impacts glibc’s dynamic loader, responsible for loading into memory the libraries that a program needs, linking them with the executable at runtime.
CVE-2023-4911 impacts the dynamic loader’s processing of GLIBC_TUNABLES environment variables, which allow users to change the library’s behavior at runtime by adjusting different parameters.
As per Qualys, the dynamic loader is extremely security sensitive because its code runs with elevated privileges when a local user executes a set-user-ID program, a set-group-ID program, or a program with capabilities.
The glibc dynamic loader’s processing of the tunables variables is susceptible to a buffer overflow that can be exploited to obtain full root privileges on an impacted system.
The issue was initially identified in April 2021, with the release of glibc 2.34, and has been successfully tested on Debian 12 and 13, Fedora 37 and 38, and Ubuntu 22.04 and 23.04. Other Linux distributions might be impacted as well, except for Alpine Linux, which uses musl libc, instead of glibc.
The issue resides in the way the dynamic loader’s processing function sanitizes tunables. Because the function removes all dangerous tunables but keeps specific ones, supplying a specifically crafted environment variable results in the tunable being processed twice, overflowing the buffer.
The vulnerability leads to full root privileges and is relatively easy to exploit, Qualys is not sharing its PoC code, although it has provided an extensive technical analysis.