Make-me-root 'Looney Tunables' security hole on Linux needs your attention

Grab security updates for your Linux distributions: there's a security hole that can be fairly easily exploited by rogue users, intruders, and malicious software to gain root access and take over the box.

Specifically, a buffer overflow vulnerability in the GNU C Library's handling of an environmental variable was spotted by security firm Qualys, which has gone public with some of the details now that patches are being emitted.

The flaw, dubbed Looney Tunables, arises from the GNU C Library's dynamic loader (ld.so) mishandling of the GLIBC_TUNABLES environmental variable. And because GNU C Library, commonly known as glibc, is found in most Linux systems, this is something of an issue.

Essentially, setting GLIBC_TUNABLES to a carefully crafted value can cause a buffer overflow, which could lead to arbitrary code execution within the loader, allowing it to be hijacked.

The glibc dynamic loader helps get programs up and running by loading shared libraries into memory and linking them to the main executable at runtime. The loader operates with elevated privileges due to its necessary functions. If someone – a low-privileged intruder, for instance – takes control of it, they get root-level or superuser access to the system.

Qualys said its team successfully identified and exploited the vulnerability to allow a local attacker to achieve root privileges on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13. Most other distributions are said to be affected, though Alpine Linux is not because it uses musl libc rather than glibc.

"The presence of a buffer overflow vulnerability in the dynamic loader’s handling of the GLIBC_TUNABLES environment variable poses significant risks to numerous Linux distributions," said Saeed Abbasi, product manager with Qualys' Threat Research Unit, in the report.

"This environment variable, intended to fine-tune and optimize applications linked with glibc, is an essential tool for developers and system administrators. Its misuse or exploitation broadly affects system performance, reliability, and security."

Red Hat says that its Enterprise Linux 8, Enterprise Linux 9, and Virtualization 4 products are all affected.

"This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges," said Red Hat in its advisory.

• CISA adds latest Chrome zero-day to Known Exploited Vulnerabilities Catalog
• Now MOVEit maker Progress patches holes in WS_FTP
• Chrome, Firefox and more caught with their WebP down, offer hasty patch-up
• Apple races to patch the latest zero-day iPhone exploit

The security oversight was introduced in glibc 2.34, commit 2ed18c, back in April 2021.

According to Qualys, the GLIBC_TUNABLES environment variable provides a way to alter a library's behavior at runtime, without the need for library or application recompilation. A tunable in Linux refers to a kernel parameter that can be changed during runtime.

Unfortunately, the code for sanitizing GLIBC_TUNABLES fails in certain circumstances. Specifically, as Qualys explains in its technical writeup, there's a function called parse_tunables() that neglects to increment a pointer under certain conditions. And the result is a buffer overflow.

Red Hat has assigned the issue as CVE-2023-4911, and given it a CVSS score of 7.8 out of 10 in terms of severity.

That's all folks. ®