Image source: Shutterstock
CVE-2023-4911 is a local privilege escalation flaw that gives attackers a way to gain root access on versions of Debian, Fedora, Ubuntu and other Linux distributions using the glibc library.
Millions of Linux systems running default installations of certain versions of Debian, Fedora, Ubuntu—and likely other distributions using the GNU C Library (glibc)—are potentially susceptible to a vulnerability that allows attackers to elevate local privileges to full root access.
Here are the key details:
The bug: The vulnerability (CVE-2023-4911) has to do with how the GNU C Library’s (glibc) dynamic loader (glibc ld.so) component, which is responsible for preparing and running programs, processes the GLIBC_TUNABLES environment variable. GLIBC_TUNABLES allows users to tune memory usage and performance during application startup and to generally control and modify runtime behavior of glibc.
Researchers at Qualys who discovered the vulnerability (CVE-2023-4911) have dubbed it Looney TUNABLES. They have described it as a buffer overflow in the dynamic loader’s handling of the GLIBC_TUNABLES variable. An attacker with local access to an affected system can take advantage of the flaw to craft maliciously created GLIBC_TUNABLES variables to execute code with elevated privileges. The vulnerability has been present since April 2021 with glibc 2.34 commit 2ed18c and poses significant risks to multiple Linux distributions, Qualys said.
Which Linux distros does the bug affect: Qualys successfully exploited the flaw in Fedora 37 and 38, Ubuntu 22.04 and 23.04 and Debian 12 and 13. The security vendor has assessed that other Linux distributions are likely affected as well. The only distro that for sure is NOT affected by CVE-2023-4911 is Alpine Linux because it uses musl libc and not glibc.
Why “Looney TUNABLES”: Presumably, because it sounds cool. Who knows? Doesn’t matter.
What is the potential impact: “This environment variable, intended to fine-tune and optimize applications linked with glibc, is an essential tool for developers and system administrators,” Qualys has noted. “Its misuse or exploitation broadly affects system performance, reliability, and security.” NIST has not yet provided an NVD score for the flaw.
Red Hat has assessed it as a “high” severity vulnerability and assigned it a base score of 7.8 on the CVSS scale. The vulnerability poses a high risk to data confidentiality, integrity and availability.
How exploitable is the bug really: Qualys product Saeed Abbasi has identified the vulnerability as posing a significant risk for organizations using the affected Linux distributions. According to him, the ease “with which the buffer overflow can be transformed into a data-only attack implies that other research teams could soon produce and release exploits.”
According to Red Hat, the vulnerability involves low attack complexity, low privileges and no user interaction to exploit.
Is Exploit code for CVE-2023-4911 publicly available: Not as of 10:00 am US EDT, Oct. 4, 2023. But Qualys researchers have developed an exploit for the flaw that gave them full root privileges on several major Linux distributions including Debian 12 and 13, Fedora 37 and 38, Ubuntu 22.04 and 23.04. Qualys has decided not to publicly release its exploit code for the moment citing concerns over the ease with which an attacker can leverage it to escalate privileges.
Important notes: An attacker already needs local access on a system to be able to exploit the flaw. As Red Hat points out: The vulnerability allows a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
Qualys researchers discovered the vulnerability manually. But they were able to find the vulnerable function in less than a second when they later used fuzzing tools such as and AFL++ and libFuzzer to try and find it.
As always, the best way to mitigate risk is to apply the patches that affected Linux distributions have released for the flaw. Red Hat recommends that organizations which cannot immediately update and do not have the Secure Boot feature enabled, should use a script it has provided to mitigate risk.
Here are the relevant updates for Debian, Gentoo, Red Hat, Red Hat Bugzilla and Fedora. And here’s Ubuntu’s advisory on the vulnerability.