A buffer overflow was discovered in the dynamic loader (ld.so) of GNU C Library (glibc) while processing the GLIBC_TUNABLES environment variable. Find out more about the vulnerability and how to mitigate the risk of exploits.
Description
The CVE-2023-4911 (dubbed Looney Tunables) was introduced in glibc 2.34 in April 2021. As most Linux distributions use this C library implementation, the vulnerability affects a significant number of systems. So what exactly is the issue?
The glibc dynamic loader is responsible for determining, finding, and loading the shared libraries that the program needs at runtime. The GLIBC_TUNABLES variables allow the developers to adjust the performance and behavior of a library at runtime without recompiling the library or application. As it turned out, maliciously crafted GLIBC_TUNABLES variables can cause buffer overflow and enable the attackers to run code with root-level privileges.
Risk scope
The vulnerability was assigned a 7.8 CVSS score (high severity) because the glibc dynamic loader has elevated privileges when a local user launches programs with a set-user-ID or set-group-ID permissions. Therefore, the attacker can get full root access to the system.
Mitigation
If you use a musl-based Linux distribution, such as Alpine or Alpaquita, your applications are unaffected. For those developers who use a glibc-based distro, we recommend updating the OS as soon as possible. BellSoft has already released a security patch for a glibc version of Alpaquita Linux — update the image now and stay safe!
