A newly discovered vulnerability in the GNU C Library (glibc) enables attackers to gain root access on default configurations of major Linux distributions. This Linux glibc flaw, tracked as CVE-2023-6246, stems from a heap-based buffer overflow in the __vsyslog_internal() function of glibc.
This function is commonly used by syslog and vsyslog for writing messages to the system message logger. The Linux glibc flaw was accidentally introduced in glibc version 2.37 and later backported to version 2.36 when addressing a less severe vulnerability (CVE-2022-39046).
“The buffer overflow issue poses a significant threat as it could allow local privilege escalation, enabling an unprivileged user to gain full root access through crafted inputs to applications that employ these logging functions,”
“Although the vulnerability requires specific conditions to be exploited (such as an unusually long argv[0] or openlog() ident argument), its impact is significant due to the widespread use of the affected library.”
Qualys security researchers said.
The Linux glibc Flaw Impacts Debian, Ubuntu, and Fedora Systems
After conducting tests, Qualys researchers have confirmed that several Linux distributions, including Debian 12 and 13, Ubuntu 23.04 and 23.10, and Fedora 37 to 39, are vulnerable to exploits targeting CVE-2023-6246.
This Linux glibc flaw allows unprivileged users to elevate their privileges to gain full root access on default installations. While the researchers focused on a limited number of distributions, they suspect that other distributions may also be susceptible to exploitation.
Furthermore, during their analysis of glibc for additional security issues, the researchers discovered three other vulnerabilities. Two of these vulnerabilities, identified as CVE-2023-6779 and CVE-2023-6780, exist in the __vsyslog_internal() function.
Although they are more difficult to exploit, they still pose potential risks. The researchers also found a third vulnerability in glibc’s qsort() function, which involves a memory corruption issue that is currently awaiting a CVEID.
“These flaws highlight the critical need for strict security measures in software development, especially for core libraries widely used across many systems and applications.”
“The recent discovery of these vulnerabilities is not just a technical concern but a matter of widespread security implications,”
Qualys’ Threat Research Unit.
Similar Linux Root Escalation Flaws
In recent years, Qualys researchers have identified multiple security vulnerabilities in Linux that can lead to complete control of unpatched systems, even in their default configurations. These vulnerabilities include weaknesses in various components such as glibc’s ld.so dynamic loader (referred to as “Looney Tunables”), Polkit’s pkexec component (known as “PwnKit”), the Kernel’s filesystem layer (referred to as “Sequoia”), as well as the Sudo Unix program (also known as “Baron Samedit”).
Shortly after the disclosure of the Looney Tunables flaw (CVE-2023-4911), proof-of-concept (PoC) exploits were made available online. Within a month, threat actors began exploiting this vulnerability in Kinsing malware attacks, targeting cloud service provider (CSP) credentials.
The Kinsing gang is notorious for deploying cryptocurrency mining malware on compromised cloud-based systems, including Kubernetes, Docker APIs, Redis, and Jenkins servers.
In response to the severity of the situation, the Cybersecurity and Infrastructure Security Agency (CISA) directed U.S. federal agencies to secure their Linux systems against CVE-2023-4911 attacks.
CISA classified this vulnerability as actively exploited and categorized it as posing “significant risks to the federal enterprise.” This proactive measure aimed to protect critical infrastructure and ensure the security of federal systems.
