Executive Summary
A new Linux security vulnerability, known as Looney Tunables, has been discovered in the GNU C library, commonly known as glibc. This vulnerability, identified as CVE-2023-4911 with a CVSS of 7.8, allows for local privilege escalation and potential root privileges.
The vulnerability poses significant risks to system performance, reliability, and security. Several proof of concept versions of the exploit have been released.
System administrators are advised to prioritize patching this vulnerability to ensure system integrity and security.
About the Vulnerability
The Looney Tunables vulnerability has been discovered in the GNU C library, commonly known as glibc, by the Qualys Threat Research Unit (TRU). The vulnerability, tracked as CVE-2023-4911 with a CVSS of 7.8, allows for local privilege escalation and potential root privileges.
The issue stems from a buffer overflow in the processing of the GLIBC_TUNABLES environment variable. This environment variable, intended to fine-tune and optimize applications linked with glibc, is an essential tool for developers and system administrators. Its misuse or exploitation broadly affects system performance, reliability, and security.
Major Linux distributions, including Fedora, Ubuntu, and Debian, are affected. One notable exception is Alpine Linux, which uses the musl libc library instead of glibc.
The vulnerability could put countless systems at risk, especially given the extensive use of glibc across Linux distributions.
For more details, please refer to the Qualys Advisory.
Response from Red Hat
Red Hat has issued an advisory regarding the Looney Tunables vulnerability which includes a temporary mitigation that terminates setuid programs invoked with GLIBC_TUNABLES in the environment.
For more details, please refer to the Red Hat Advisory.
To address this vulnerability, it is crucial for system admins of affected systems to apply patches and updates promptly.
- What We Have Learned from MOVEit Attacks
- Commission Issues Recommendation on Post-Quantum Cryptography
- [CVSS 9+] CISA Releases Six Advisories for Industrial Control Systems
- Massive Data Leak in Brazil: 223 Million Victims
- AI Generated False Obituaries Target Users
- CryptoChameleon Attacks Apple and Android Users, Targeting Crypto