Looney Tunables: ld.so library local privilege escalation (CVE-2023-4911)

Recently, Qualsys discovered a vulnerability (a buffer overflow) in the dynamic loader’s processing of the GLIBC_TUNABLES environment variable. Which can result in an escalation from local user access to root. This has been labeled as CVE-2023-4911

To address this we urge users to promptly apply package updates on your servers.

The GNU C Library’s dynamic loader find[s] and load[s] shared objects (shared libraries) needed by a program, prepare[s] the program to run, and then run[s] it” (via man ld.so).

However Qualsys confirmed :

We successfully exploited this vulnerability and obtained full root privileges on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, Debian 12 and 13; other distributions are probably also vulnerable and exploitable.

In general it the exploit requires someone to already be logged in, but it could also be triggered via an insecure service.

Affected distributions on our platform have updated packages resolving this issue. We recommend urgently applying package updates as soon as possible to minimise any risk of escalation. This vulnerability was introduced around April 2021 (glibc 2.34) and likely wont affect distributions using older glibc versions.

To ensure you have the latest updates consider running one of the following:

  • for Rocky/Alma 8/9 installs, please run ‘yum install glibc” or “dnf install glibc”.
  • for recent Debian or Ubuntu instead do “apt update && apt install glibc”.

If you need help with this or have any questions please open a support ticket and let us know how we can help.

Further Reading