Jump to content
  • Patch now: This serious Linux vulnerability affects nearly all distributions

    aum

    • 625 views
    • 3 minutes
     Share


    • 625 views
    • 3 minutes

    Qualys has discovered a nasty security hole, dubbed 'Looney Tunables', in the glibc C library. This means almost all Linux distributions have a bad security problem.

     

    As security holes go, CVE-2023-4911, aka "Looney Tunables," isn't horrid. It has a Common Vulnerability Scoring System (CVSS) score of 7.8, which is ranked as important, not critical. 

     

    On the other hand, this GNU C Library's (glibc) dynamic loader vulnerability is a buffer overflow, which is always big trouble, and it's in pretty much all Linux distributions, so it's more than bad enough. 

     

    After all, its discoverers, the Qualys Threat Research Unit, were able to exploit "this vulnerability (a local privilege escalation that grants full root privileges) on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13." Other distributions are almost certainly vulnerable to attack. The one major exception is the highly secure Alpine Linux. 

     

    Thanks to this vulnerability, it's trivial to take over most Linux systems as a root user. As the researchers noted, this exploitation method "works against almost all of the SUID-root programs that are installed by default on Linux."

     

    So, yeah, this is bad news with a capital B for Linux users. 

     

    The vulnerability was introduced in April 2021 with the release of glibc 2.34. The flaw is a buffer overflow weakness in the glibc's ld.so dynamic loader, a crucial component responsible for preparing and executing programs on Linux systems. The vulnerability is triggered when processing the GLIBC_TUNABLES environment variable, making it a significant threat to system integrity and security.

     

    So, how bad is this really? To quote Saeed Abbasi, Qualys Threat Research Unit Product Manager, "This environment variable, intended to fine-tune and optimize applications linked with glibc, is an essential tool for developers and system administrators. Its misuse or exploitation broadly affects system performance, reliability, and security. … The ease with which the buffer overflow can be transformed into a data-only attack … could put countless systems at risk, especially given the extensive use of glibc across Linux distributions."

     

    And, yes, I'm sorry to say at least one exploit is already available to take advantage of this hole. 

     

    So, what should you do about it? Patch. Patch it now. 

     

    The good news is that Red Hat, Ubuntu, Debian, and Gentoo have all released their own updates. In addition, the upstream glibc code has been patched with the fix. 

     

    If you can't patch it, Red Hat has a script that should work on most Linux systems to mitigate the problem by setting your system to terminate any setuid program invoked with GLIBC_TUNABLES in the environment. 

     

    So, get out there, make the patches, run the scripts, and, if you have vulnerable Internet of Things (IoT) devices, lock them down behind a firewall until a fix is in. Finally, as Porky Pig says, "That's all, folks!"

     

    Source


    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...