{
    "file_item": {
        "filepath": "security-advisories",
        "filename": "CERT-EU-SA2023-072.pdf"
    },
    "title": "GNU C Library Dynamic Loader Buffer Overflow Vulnerability",
    "serial_number": "2023-072",
    "publish_date": "04-10-2023 15:41:05",
    "description": "A critical buffer overflow vulnerability, identified as \"CVE-2023-4911\", has been discovered by Qualys Research Labs in the GNU C Library's dynamic loader when processing the \"GLIBC_TUNABLES\" environment variable. This vulnerability can be exploited to obtain full root privileges, impacting several major Linux distributions.<br>\nIt is recommended updating as soon as possible.<br>\n",
    "url_title": "2023-072",
    "content_markdown": "---\ntitle: 'GNU C Library Dynamic Loader Buffer Overflow Vulnerability'\nversion: '1.0'\nnumber: '2023-072'\noriginal_date: 'October 3, 2023'\ndate: 'October 4, 2023'\n---\n\n_History:_\n\n* _4/10/2023 --- v1.0 -- Initial publication_\n\n# Summary\n\nA critical buffer overflow vulnerability, identified as `CVE-2023-4911`, has been discovered by Qualys Research Labs in the GNU C Library's dynamic loader when processing the `GLIBC_TUNABLES` environment variable. This vulnerability can be exploited to obtain full root privileges, impacting several major Linux distributions.\n\nIt is recommended updating as soon as possible.\n\n# Technical Details\n\nThe GNU C Library's dynamic loader is responsible for locating and loading shared libraries needed by a program. It operates with elevated privileges when executing a set-user-ID program, set-group-ID program, or a program with capabilities. \n\nThe vulnerability `CVE-2023-4911` specifically relates to the processing of the `GLIBC_TUNABLES` environment variable. It was introduced in glibc 2.34 in April 2021 by the commit `2ed18c`. When ld.so starts its execution, it invokes `__tunables_init()` to search for `GLIBC_TUNABLES`  variables. Upon finding any, it makes a copy and proceeds to sanitise this copy. However, due to incorrect handling, a buffer overflow can be triggered and leveraged to obtain full root privileges.\n\n# Affected Products\n\nThe following distributions before the patch and in their default installation were successfully exploited by Qualys' team:\n\n- Fedora 37 and 38\n- Ubuntu 22.04 and 23.04\n- Debian 12 and 13\n\nOther distributions might be vulnerable except for Alpine Linux which utilises musl libc instead of glibc.\n\n# Recommendations\n\nUsers and administrators are urged to apply patches as soon as they are available from their respective distribution's repository.\n\n# References\n\n[1] <https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt>\n\n[2] <https://www.debian.org/security/2023/dsa-5514>",
    "content_html": "<p><em>History:</em></p><ul><li><em>4/10/2023 --- v1.0 -- Initial publication</em></li></ul><h2 id=\"summary\">Summary</h2><p>A critical buffer overflow vulnerability, identified as <code>CVE-2023-4911</code>, has been discovered by Qualys Research Labs in the GNU C Library's dynamic loader when processing the <code>GLIBC_TUNABLES</code> environment variable. This vulnerability can be exploited to obtain full root privileges, impacting several major Linux distributions.</p><p>It is recommended updating as soon as possible.</p><h2 id=\"technical-details\">Technical Details</h2><p>The GNU C Library's dynamic loader is responsible for locating and loading shared libraries needed by a program. It operates with elevated privileges when executing a set-user-ID program, set-group-ID program, or a program with capabilities. </p><p>The vulnerability <code>CVE-2023-4911</code> specifically relates to the processing of the <code>GLIBC_TUNABLES</code> environment variable. It was introduced in glibc 2.34 in April 2021 by the commit <code>2ed18c</code>. When ld.so starts its execution, it invokes <code>__tunables_init()</code> to search for <code>GLIBC_TUNABLES</code> variables. Upon finding any, it makes a copy and proceeds to sanitise this copy. However, due to incorrect handling, a buffer overflow can be triggered and leveraged to obtain full root privileges.</p><h2 id=\"affected-products\">Affected Products</h2><p>The following distributions before the patch and in their default installation were successfully exploited by Qualys' team:</p><ul><li>Fedora 37 and 38</li><li>Ubuntu 22.04 and 23.04</li><li>Debian 12 and 13</li></ul><p>Other distributions might be vulnerable except for Alpine Linux which utilises musl libc instead of glibc.</p><h2 id=\"recommendations\">Recommendations</h2><p>Users and administrators are urged to apply patches as soon as they are available from their respective distribution's repository.</p><h2 id=\"references\">References</h2><p>[1] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt\">https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt</a></p><p>[2] <a rel=\"noopener\" target=\"_blank\" href=\"https://www.debian.org/security/2023/dsa-5514\">https://www.debian.org/security/2023/dsa-5514</a></p>",
    "licence": {
        "title": "Creative Commons Attribution 4.0 International (CC-BY 4.0)",
        "link": "https://creativecommons.org/licenses/by/4.0/",
        "restrictions": "https://cert.europa.eu/legal-notice",
        "author": "The Cybersecurity Service for the Union institutions, bodies, offices and agencies"
    }
}