ALERT: Vulnerability in GNU C Library on many Linux Distributions
Friday, October 6, 2023
This alert is intended for U-M IT staff who are responsible for university devices using Linux distributions, or individuals using Linux distributions. It is especially important for those using Linux for university business.
A vulnerability (CVE-2023-4911) in the GNU C Library (i.e., glibc) on many popular Linux distributions has been discovered. Successful exploit of this vulnerability can give a malicious actor full root privileges. Proof of concept (POC) exploit code is publicly available. Linux systems should be patched as soon as possible.
The GNU C Library’s dynamic loader has a crucial role in many system functionalities, including preparing and running programs. It runs with elevated privileges, making it especially high priority to address.
Although there currently is no confirmation of exploits in the wild, this exploit could potentially enable attackers to gain root privileges on many popular Linux distributions, and is of heightened concern because proof-of-concept-code is publicly available.
POC exploit code is available publicly, and while there are no reports yet, the vulnerability could be actively exploited in the wild.
This vulnerability (CVE-2023-4911) has been fixed in upstream glibc.
Some distributions like Alpine Linux are exempt due to their use of musl libc instead of glibc, but many popular distributions are potentially vulnerable in the near future.
Because of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).
Linux distribution vendors are urging users to upgrade to a non-vulnerable version of the library: such as Ubuntu, RedHat, Debian, Fedora, Gentoo.
- A buffer overflow was discovered in the GNU C Library's dynamic loader’s processing of the GLIBC_TUNABLES environment variable.
- An attacker could use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
How We Protect U-M
ITS Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.
Information for Users
All managed MiServer Linux servers will be patched without need for requests. ITS will communicate again if the schedule deviates from what was previously communicated.
Questions, Concerns, Reports
Please contact ITS Information Assurance through the ITS Service Center.
- “Looney Tunables” bug allows root access on Linux distros (CVE-2023-4911) (helpnetsecurity.com)