Three new vulnerabilities in the Linux central library glibc are currently worrying developers and distributors of the open source operating system. Security leaks allow users to escalate their own privileges and, after several attempts, execute code with the privileges of the “root” administrative user. Major Linux distributions have already responded and released updated packages.
advertisement
According to the finders from Qualys Labs, they encountered a bug in the __vsyslog_internal() helper function, which is called by glibc logging functions and appears to have been dormant in the library code since August 2022. Ironically, the bug arose due to a fix for another security issue in the same feature.
The issue, which researchers were able to understand in Debian versions 12 and 13, Ubuntu 23.04 and 23.10, and Fedora 37 to 39, is based on a buffer overflow and, with some modifications, can be used to execute your own commands as “root.” . Fortunately, experts say, the vulnerability cannot be exploited remotely; A local user account is a necessary requirement.
This situation also affects the risk assessment for CVE-2023-6246, which is… high Risks arise. Although no official CVSS value is known, the score with known details is 7.8/10 (CVSS vector: CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C).
Vulnerability testing with 128,000 zeros
Using Bash, administrators can test whether their system is still affected or has already been patched. However, as with any “proof of concept,” caution is advised: unwanted side effects cannot always be ruled out.
(exec -a "`printf '%0128000x' 1`" /usr/bin/su < /dev/null)
After entering this line as a normal user on a vulnerable system, the typical password prompt appears briefly and then suddenly the message “Segmentation fault (core dumped)“.
Major Linux distributions Debian and Fedora responded with their own security advisories and provided updated glibc packages. These also typically fix two minor vulnerabilities in glibc, which have the CVE IDs CVE-2023-6779 and CVE-2023-6780. No current Ubuntu package has been released yet, and the virtual machine that is updated daily by the Heise Security editorial team is still vulnerable.
The Linux glibc library is one of the central components of the operating system along with the kernel, which makes vulnerabilities of great importance. Last year, Qualys discovered the “Looney Tunables” program, which also enabled the expansion of local user rights.
(Kaku)
