Researchers are urging security teams to prioritize the patching of a buffer overflow flaw in GNU C Library (glibc) that is what they call “a pressing concern” for numerous Linux distributions.
Glibc, which is the C library implementation in the GNU system, defines system calls and other basic functionalities and exists in most systems running the Linux kernel. This flaw is severe due to both its impact and the extensive use of glibc across Linux distributions. If exploited, the flaw could allow local attackers to gain full root access on popular Linux platforms, and researchers with Qualys said they have identified the flaw on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13.
In a coordinated effort on Wednesday, multiple platforms released patches for the flaw, including Debian, Ubuntu and Red Hat. Qualys said it has held on publishing proof-of-concept (PoC) exploit code on the flaw, but several other security researchers have released their own exploit code.
“Although we are withholding our exploit code for now, the ease with which the buffer overflow can be transformed into a data-only attack implies that other research teams could soon produce and release exploits,” said Saeed Abbasi, product manager in the threat research unit with Qualys, in an analysis this week. “While certain distributions like Alpine Linux are exempt due to their use of musl libc instead of glibc, many popular distributions are potentially vulnerable and could be exploited in the near future.”
The high-severity flaw (CVE-2023-4911), which was introduced in glibc version 2.34, exists in glibc’s dynamic loader, which is a critical piece that prepares and runs programs by first examining them to determine the shared libraries that they require, and then searching for their required libraries, loading them into memory and linking them with an executable at runtime. Due to these functionalities, this component must run with elevated privileges when a local user requires a set-user-ID or set-group-ID program.
Specifically the issue exists in the dynamic loader’s processing of the GLIBC_TUNABLES environment variable, which allows users to modify the library’s behavior at runtime. The error could enable local attackers to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission, in order to execute code with elevated privileges.
“The presence of a buffer overflow vulnerability in the dynamic loader’s handling of the GLIBC_TUNABLES environment variable poses significant risks to numerous Linux distributions,” said researchers. “This environment variable, intended to fine-tune and optimize applications linked with glibc, is an essential tool for developers and system administrators. Its misuse or exploitation broadly affects system performance, reliability, and security.”
Researchers are urging system administrators to apply the patches immediately.
“With the capability to provide full root access on popular platforms like Fedora, Ubuntu, and Debian, it’s imperative for system administrators to act swiftly,” said Abbasi. “While Alpine Linux users can breathe a sigh of relief, others should prioritize patching to ensure system integrity and security.”