CVE-2023-4911 (Looney Tunables): The Linux Vulnerability Exposing Major Systems

A new Linux vulnerability has been discovered by the Qualys Threat Research Unit. This vulnerability allows local attackers to gain root privileges by exploiting a buffer overflow weakness in the GNU C Library’s ld.so dynamic loader.

CVE-2023-4911, dubbed “Looney Tunables”, possesses a CVSS score of 7.8, indicating a high severity level. It allows malicious actors to exploit a buffer overflow in the GNU C Library’s ld.so dynamic loader, thereby permitting local attackers to ascend to root privileges.

At its core, the GNU C Library (glibc) is the heart and soul of most Linux kernel-based systems. This library gives life to a myriad of system calls ranging from the basics such as `open`, `malloc`, and `printf` to the more intricate like `exit`.

Even more pivotal is the dynamic loader within glibc. This component has the onerous responsibility of preparing and executing programs on Linux systems that are glibc-powered.

The chink in the armor was spotted in the ld.so dynamic loader of the GNU C Library. This vulnerability arises during the processing of the `GLIBC_TUNABLES` environment variable. In simpler terms, a local attacker with some crafty skills can inject malicious content into the `GLIBC_TUNABLES` environment variable. By doing this when initiating binaries that have SUID permission, the attacker can run code with dangerously elevated privileges.

The discerning eyes of the Qualys Threat Research Unit uncovered this flaw. Tracing its lineage, the flaw was inadvertently introduced in April 2021, during the release of glibc 2.34. Ironically, the commit was intended to bolster security by fixing SXID_ERASE behavior in setuid programs.

According to Saeed Abbasi, Product Manager at Qualys’ Threat Research Unit, “Our successful exploitation, leading to full root privileges on major distributions like Fedora, Ubuntu, and Debian, underscores the profound and ubiquitous nature of this vulnerability.”

While the Qualys team holds back on releasing their exploit code, the inherent simplicity in converting the buffer overflow into a data-only attack indicates that other research teams might soon take up the gauntlet.

Systems operating on Debian 12 and 13, Ubuntu 22.04 and 23.04, and Fedora 37 and 38 are sitting ducks for the CVE-2023-4911 vulnerability. Given the prevalence of glibc across various Linux distributions, the magnitude of potential damage is colossal. Some breathing space is offered to distributions like Alpine Linux, which employ musl libc instead of glibc.

It’s worth noting that attackers, even those with rudimentary privileges, can leverage this high-severity loophole. The low complexity and lack of user interaction make these attacks all the more concerning.

For users who can’t immediately update and are without the Secure Boot feature, there’s a workaround. A SystemTap script has been provided which, once activated, will instantly terminate any setuid program invoked with `GLIBC_TUNABLES` in the environment. To safely invoke the setuid program thereafter, one simply has to unset or clear the `GLIBC_TUNABLES` environment variable, for example, using the command `GLIBC_TUNABLES= sudo`.