--- licence_title: Creative Commons Attribution 4.0 International (CC-BY 4.0) licence_link: https://creativecommons.org/licenses/by/4.0/ licence_restrictions: https://cert.europa.eu/legal-notice licence_author: CERT-EU, The Cybersecurity Service for the European Union institutions, bodies, offices and agencies title: 'GNU C Library Dynamic Loader Buffer Overflow Vulnerability' version: '1.0' number: '2023-072' original_date: 'October 3, 2023' date: 'October 4, 2023' --- _History:_ * _4/10/2023 --- v1.0 -- Initial publication_ # Summary A critical buffer overflow vulnerability, identified as `CVE-2023-4911`, has been discovered by Qualys Research Labs in the GNU C Library's dynamic loader when processing the `GLIBC_TUNABLES` environment variable. This vulnerability can be exploited to obtain full root privileges, impacting several major Linux distributions. It is recommended updating as soon as possible. # Technical Details The GNU C Library's dynamic loader is responsible for locating and loading shared libraries needed by a program. It operates with elevated privileges when executing a set-user-ID program, set-group-ID program, or a program with capabilities. The vulnerability `CVE-2023-4911` specifically relates to the processing of the `GLIBC_TUNABLES` environment variable. It was introduced in glibc 2.34 in April 2021 by the commit `2ed18c`. When ld.so starts its execution, it invokes `__tunables_init()` to search for `GLIBC_TUNABLES` variables. Upon finding any, it makes a copy and proceeds to sanitise this copy. However, due to incorrect handling, a buffer overflow can be triggered and leveraged to obtain full root privileges. # Affected Products The following distributions before the patch and in their default installation were successfully exploited by Qualys' team: - Fedora 37 and 38 - Ubuntu 22.04 and 23.04 - Debian 12 and 13 Other distributions might be vulnerable except for Alpine Linux which utilises musl libc instead of glibc. # Recommendations Users and administrators are urged to apply patches as soon as they are available from their respective distribution's repository. # References [1] [2]