New 'Looney Tunables' Linux Bug: A Deep Dive into the CVE-2023-4911 Vulnerability

A new Linux vulnerability, known as 'Looney Tunables' and tracked as CVE-2023-4911, enables local attackers to gain root privileges by exploiting a buffer overflow weakness in the GNU C Library's ld.so dynamic loader.
New 'Looney Tunables' Linux Bug: A Deep Dive into the CVE-2023-4911 Vulnerability

New ‘Looney Tunables’ Linux Bug Gives Root on Major Distros

A new Linux vulnerability, known as ‘Looney Tunables’ and tracked as CVE-2023-4911, enables local attackers to gain root privileges by exploiting a buffer overflow weakness in the GNU C Library’s ld.so dynamic loader. The GNU C Library (glibc) is the GNU system’s C library and is in most Linux kernel-based systems. It provides essential functionality, including system calls like open, malloc, printf, exit, and others, necessary for typical program execution. The dynamic loader within glibc is of utmost importance, as it is responsible for program preparation and execution on Linux systems that use glibc. Discovered by the Qualys Threat Research Unit, the flaw was introduced in April 2021, with the release of glibc 2.34, via a commit described as fixing SXID_ERASE behavior in setuid programs. “Our successful exploitation, leading to full root privileges on major distributions like Fedora, Ubuntu, and Debian, highlights this vulnerability’s severity and widespread nature,” said Saeed Abbasi, Product Manager at Qualys’ Threat Research Unit. “Although we are withholding our exploit code for now, the ease with which the buffer overflow can be transformed into a data-only attack implies that other research teams could soon produce and release exploits. This could put countless systems at risk, especially given the extensive use of glibc across Linux distributions.”

Admins Urged to Prioritize Patching

The vulnerability is triggered when processing GLIBC_TUNABLES environment variable on default installations of Debian 12 and 13, Ubuntu 22.04 and 23.04, and Fedora 37 and 38 (Alpine Linux, which uses musl libc, is not affected). “A buffer overflow was discovered in the GNU C Library’s dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable,” a Red Hat advisory explains. “This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.” Attackers with low privileges can exploit this high-severity vulnerability in low-complexity attacks that don’t require user interaction. “With the capability to provide full root access on popular platforms like Fedora, Ubuntu, and Debian, it’s imperative for system administrators to act swiftly,” Abbasi added. “While Alpine Linux users can breathe a sigh of relief, others should prioritize patching to ensure system integrity and security.” In recent years, Qualys researchers have discovered other high-severity Linux security flaws that enable attackers to gain root privileges in default configurations of many Linux distributions. The list includes a flaw in Polkit’s pkexec component (dubbed PwnKit), another in the Kernel’s filesystem layer (dubbed Sequoia), and in the Sudo Unix program (aka Baron Samedit).