The Blue Report 2024
Get a comprehensive analysis of over 136 million cyber attacks and understand the state of threat exposure management.
In October 2023, a local privilege escalation vulnerability affecting major Linux distributions was disclosed [1]. CVE-2023-4911 is a buffer overflow vulnerability found in GNU C Library's dynamic loader and has a CVSS score of 7.8 (High). Adversaries may gain full root privileges in Fedora, Ubuntu, and Debian systems when they exploit the CVE-2023-4911 vulnerability. Organizations are advised to update their vulnerable Linux systems as soon as possible.
In this blog, we explained how the Looney Tunables CVE-2023-4911 exploit works.
Watch Now!
We strongly suggest simulating Looney Tunables CVE-2023-4911 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform.
What is Looney Tunables CVE-2023-4911 Elevation of Privilege Vulnerability?
Many Linux systems use the GNU C Library to allow applications written in C and C++ to interface with the underlying operating system. Recently, a buffer overflow vulnerability was found in the library, which affects major Linux distributions such as Fedora, Ubuntu, and Debian systems. CVE-2023-4911 allows an attacker to gain full root-level privileges in vulnerable Linux systems. The vulnerability was introduced with glibc 2.34 in April 2021, and it has a CVSS score of 7.8 (High). Although the vulnerability does not have a critical score, it affects a wide range of Linux systems. Therefore, organizations are advised to update their Linux systems as soon as possible.
The list of related security advisories is given below.
Linux Distributions |
Security Advisory on Looney Tunables CVE-2023-4911 |
Amazon Linux |
|
Debian |
|
Fedora |
|
Gentoo |
|
RedHat |
|
Ubuntu |
How Does Looney Tunables CVE-2023-4911 Exploit Work?
The GNU C Library, also known as glibc, is a fundamental C library used in most Linux systems that allows applications to interface with the underlying operating system. glibc provides the system API, system calls, and basic routines for programs written in C and C++. The GNU C Library's dynamic loader is an important component of glibc that is responsible for loading shared libraries into memory at program startup and linking them to the program. The dynamic loader provides the functionality required for dynamic linking, which allows programs to make use of shared libraries rather than having all the code compiled statically into the executable. It is an essential part of the system, allowing for modularity, efficient memory use, and ease of updates.
The GNU C Library uses environment variables that affect various runtime behaviors of the library and, by extension, applications linked against it. These environment variables can influence everything from localization to debugging and performance tuning. One such variable, GLIBC_TUNABLES, was introduced in glibc 2.25 as a mechanism to control the behavior of glibc in certain aspects. It allows users to set tunables that influence the runtime behavior of the GNU C Library without having to recompile applications or the library itself.
CVE-2023-4911 is caused by the dynamic loader's handling of the GLIBC_TUNABLES environment variable. If the tunable string is in the format of tunable1=tunable2=value, the sanitizing parser parse_tunables() in the dynamic loader parse the given string as tunable1="tunable2=value" and later keeps processing it as tunable2=value. This will lead to more data being copied inside the allocated buffer than is allowed. Using the buffer overflow vulnerability, an attacker may overwrite the pointer to the library search path, which determines where the dynamic loader will look for libraries. This action causes the dynamic loader to load a malicious libc.so located in an adversary-controlled location, leading to privilege escalation.
env -i "GLIBC_TUNABLES=glibc.malloc.mxfast=glibc.malloc.mxfast=A" "Z=`printf '%08192x' 1`" /usr/bin/su --help |
The proof of concept (PoC) command given above can be used to test whether the Linux system is vulnerable to CVE-2023-4911. If the system returns "Segmentation fault (core dumped)" after the PoC command is executed, the tested system is vulnerable, and organizations should update their systems without delay.
How Picus Helps Simulate Looney Tunables CVE-2023-4911 Attacks?
We also strongly suggest simulating Looney Tunables CVE-2023-4911 vulnerability to test the effectiveness of your security controls against sophisticated cyber attacks using the Picus Complete Security Validation Platform. You can also test your defenses against other vulnerability exploitation attacks, such as DirtyPipe, StackRot, and PwnKit, within minutes with a 14-day free trial of the Picus Platform.
Picus Threat Library includes the following threats for Looney Tunables CVE-2023-4911 vulnerability exploitation attacks:
Threat ID |
Threat Name |
Attack Module |
25233 |
Linux GNU C Library Looney Tunables Elevation of Privilege Vulnerability Threat |
Network Infiltration |
20404 |
Linux GNU C Library Looney Tunables Elevation of Privilege Vulnerability Threat |
Email Infiltration (Phishing) |
Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of The Picus Complete Security Validation Platform.
References
[1] S. Abbasi, "CVE-2023-4911: Looney Tunables - Local Privilege Escalation in the glibc's ld.so," Qualys Security Blog, Oct. 03, 2023. Available: https://blog.qualys.com/vulnerabilities-threat-research/2023/10/03/cve-2023-4911-looney-tunables-local-privilege-escalation-in-the-glibcs-ld-so. [Accessed: Oct. 09, 2023]