As security holes go, CVE-2023-4911, aka “Looney Tunables,” isn’t horrid. It has a Common Vulnerability Scoring System (CVSS) score of 7.8, which is ranked as important, not critical.
On the other hand, this GNU C Library’s (glibc) dynamic loader vulnerability is a buffer overflow, which is always big trouble, and it’s in pretty much all Linux distributions, so it’s more than bad enough.
Also: Linux tries to dump Windows’ notoriously insecure RNDIS protocol
After all, its discoverers, the Qualys Threat Research Unit, were able to exploit “this vulnerability (a local privilege escalation that grants full root privileges) on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13.” Other distributions are almost certainly vulnerable to attack. The one major exception is the highly secure Alpine Linux.
Thanks to this vulnerability, it’s trivial to take over most Linux systems as a root user. As the researchers noted, this exploitation method “works against almost all of the SUID-root programs that are installed by default on Linux.”
–>
So, yeah, this is bad news with a capital B for Linux users.
The vulnerability was introduced in April 2021 with the release of glibc 2.34. The flaw is a buffer overflow weakness in the glibc’s ld.so dynamic loader, a crucial component responsible for preparing and executing programs on Linux systems. The vulnerability is triggered when processing the GLIBC_TUNABLES environment variable, making it a significant threat to system integrity and security.
Also: New cryptographic protocol aims to bolster open-source software security
So, how bad is this really? To quote Saeed Abbasi, Qualys Threat Research Unit Product Manager, “This environment variable, intended to fine-tune and optimize applications linked with glibc, is an essential tool for developers and system administrators. Its misuse or exploitation broadly affects system performance, reliability, and security. … The ease with which the buffer overflow can be transformed into a data-only attack … could put countless systems at risk, especially given the extensive use of glibc across Linux distributions.”
And, yes, I’m sorry to say at least one exploit is already available to take advantage of this hole.
So, what should you do about it? Patch. Patch it now.
Also: 6 simple cybersecurity rules to live by
The good news is that Red Hat, Ubuntu, Debian, and Gentoo have all released their own updates. In addition, the upstream glibc code has been patched with the fix.
If you can’t patch it, Red Hat has a script that should work on most Linux systems to mitigate the problem by setting your system to terminate any setuid program invoked with GLIBC_TUNABLES in the environment.
So, get out there, make the patches, run the scripts, and, if you have vulnerable Internet of Things (IoT) devices, lock them down behind a firewall until a fix is in. Finally, as Porky Pig says, “That’s all, folks!”