The Qualys Threat Research Unit (TRU) recently disclosed a high-severity vulnerability in GNU C Library aka glibc that could allow a local attacker to gain root privileges. This vulnerability, tracked as CVE-2023-4911 and nicknamed “Looney Tunables”, has been given a CVSS score of 7.8 making it a critical security issue that needs immediate attention.
In this blog post, we will take a look into this vulnerability – its origins, impact, and the steps you need to take to patch this vulnerability on Linux systems using glibc.
A Short Note About GNU C Library
The GNU C Library or glibc provides core OS functionality like memory allocation, input/output operations, and thread handling required by most programs on a Linux system.
A key component of glibc is the dynamic loader (ld.so) which loads the required shared libraries and prepares the program for execution. When a program starts, the loader examines it to determine the shared libraries needed and loads them into memory. It then resolves symbol references like function/variable names and links the libraries to the executable.
The loader runs with elevated privileges when executing setuid or setgid programs, making it security-sensitive. The GLIBC_TUNABLES environment variable was introduced in glibc 2.34 to allow tweaking library behavior at runtime without recompiling the app or library.
It allows parameters like memory allocation, locking, and threading to be tuned by setting colon separated key-value pairs in GLIBC_TUNABLES. For example:
This provides granular control over glibc functionality. The loader parses GLIBC_TUNABLES during initialization and applies the tunable settings to alter behavior.
While a useful functionality for developers and sysadmins, the improper handling of GLIBC_TUNABLES also introduced the vulnerability leading to CVE-2023-4911. The parser had a flaw that caused a buffer overflow when manipulating the tunable strings.
The Summary of CVE-2023-4911
- CVE ID: CVE-2023-4911
- Description: Buffer overflow in GNU C Library’s dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable
- CVSS Score: 7.8 HIGH
- Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
The vulnerability stems from a flaw in how glibc’s dynamic loader parses the GLIBC_TUNABLES environment variable. Improper handling of colon-separated key-value pairs can trigger a buffer overflow due to a logic error while duplicating the tunable string. This could allow a local attacker to execute arbitrary code as root when running binaries with sudo permissions. Successful exploitation leads to privilege escalation to root on the affected system. For more technical details visit the original post.
Linux Distributions Vulnerable to CVE-2023-4911
The Qualys researchers successfully exploited this vulnerability to gain root privileges on default installations of Fedora 37/38, Ubuntu 22.04/23.04, and Debian 12/13. Other glibc based distributions are also likely affected.
- Fedora 37 and 38
- Ubuntu 22.04 and 23.04
- Debian 12 and 13
Other glibc based Linux distributions are also likely vulnerable.
We recommend checking these advisories from the popular Linux distributions.
As per the proof-of-concept released, the attack works by modifying LD_LIBRARY_PATH to load malicious libraries and brute-forcing memory addresses. On average, it takes a few minutes to successfully execute arbitrary code as root depending on the system. The vulnerability impacts any Linux distribution using glibc 2.34 or later.
If you are not sure which glibc version your machine has, run this command to check the glibc version. The same command should work on other Linux distributions. Alternatively, you can use rpm -q glibc on RedHat and CentOS.
How to Mitigate or Fix Looney Tunables?
The most effective mitigation is to install the glibc updates provided by your Linux distribution containing the fix for CVE-2023-4911. This patches the vulnerable code in glibc’s dynamic loader and prevents the buffer overflow from occurring.
Please ensure to check the Distribution advisories about the patch. Red Hat has published instructions for an alternate mitigation using SystemTap. This involves creating a script that monitors for the GLIBC_TUNABLES environment variable being used and immediately terminates the process.
The Looney Tunables vulnerability is extremely serious given the ubiquity of the GNU C Library on Linux systems. If exploited, it leads to immediate root access on the host. Quickly patching glibc is highly recommended to prevent potential compromise of your systems.
To summarize, CVE-2023-4911 is a high-severity local privilege escalation affecting glibc that allows gaining root privileges on Linux. Updating glibc on your systems is strongly advised to mitigate this vulnerability.