New Linux glibc vulnerability gives attackers access to major distributions
Unprivileged attackers can gain root access on several major Linux distributions in default configurations by exploiting a newly disclosed local privilege escalation (LPE) vulnerability in the GNU C library (glibc).
This security flaw has been tracked as CVE-2023-6246, and was found in glibc’s __vsyslog_internal() function, which is called by the widely used syslog and vsyslog functions to write messages to the system message logger.
The bug is due to a heap-based buffer overflow vulnerability that was accidentally introduced in glibc 2.37 in August 2022 and later ported to glibc 2.36 when addressing a less severe vulnerability tracked as CVE-2022-39046.
“The buffer overflow issue poses a significant threat because it may allow local privilege escalation, enabling an unprivileged user to gain full root access through input intended for applications that use these logging functions,” security researchers at Qualys said.
“Although the vulnerability requires specific conditions to exploit (such as an unusually long argv(0) or openlog() definition argument), its impact is significant given the widespread use of the affected library.”
Affects Debian, Ubuntu, and Fedora systems
While testing their findings, Qualys confirmed that Debian 12 and 13, Ubuntu 23.04 and 23.10, and Fedora 37 through 39 were all vulnerable to the CVE-2023-6246 vulnerabilities, allowing any unprivileged user to escalate privileges to full root access on installations Default.
Although their tests were limited to a few distributions, the researchers added that “other distributions may also be exploitable.”
While analyzing glibc for other potential security issues, the researchers also found three other vulnerabilities, two of which are difficult to exploit in the __vsyslog_internal() function (CVE-2023-6779 and CVE-2023-6780) and a third (a still memory corruption issue in waiting for CVEID) in glibc’s qsort() function.
“These flaws highlight the critical need for strict security measures in software development, especially for core libraries that are widely used across many systems and applications,” said Saeed Abbasi, product manager at Qualys Threat Research.
Other Linux root escalation drawbacks found by Qualys
Over the past few years, researchers at Qualys have discovered several other vulnerabilities in Linux that could allow attackers to take full control of unpatched Linux systems, even in default configurations.
The vulnerabilities they discovered include a flaw in glibc’s ld.so dynamic loader (Looney Tunables), one in Polkit’s pkexec component (dubbed PwnKit), another in the Kernel file system layer (dubbed Sequoia), and in the sudo script Unix (also known as Baron Samedit). .
Days after the Looney Tunables vulnerability (CVE-2023-4911) was disclosed, proof-of-concept (PoC) exploits were posted online, and threat actors began exploiting them one month later to steal cloud service provider (CSP) credentials in malware Kinsing attacks.
The Kinsing gang is known for deploying cryptocurrency mining malware on compromised cloud systems, including Kubernetes servers, Docker APIs, Redis, and Jenkins.
CISA later ordered US federal agencies to secure their Linux systems against CVE-2023-4911 attacks after adding it to a list of actively exploited bugs and labeling them as posing a “significant risk to the federal enterprise.”