A new Linux security vulnerability dubbed Looney Tunables has been discovered in the GNU C library’s ld.so dynamic loader that, if successfully exploited, could lead to a local privilege escalation and allow a threat actor to gain root privileges.
Tracked as CVE-2023-4911 (CVSS score: 7.8), the issue is a buffer overflow that resides in the dynamic loader’s processing of the GLIBC_TUNABLES environment variable. Cybersecurity firm Qualys, which disclosed details of the bug, said it was introduced as a code commit made in April 2021.
The GNU C library, also called glibc, is a core library in Linux-based systems that offers foundational features such as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, and exit.
glibc’s dynamic loader is a crucial component that’s responsible for preparing and running programs, including finding the necessarily shared object dependencies required as well as loading them into memory and linking them at runtime.
The vulnerability impacts major Linux distributions like Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13, although other distributions are likely to be vulnerable and exploitable. One notable exception is Alpine Linux, which uses the musl libc library instead of glibc.
“The presence of a buffer overflow vulnerability in the dynamic loader’s handling of the GLIBC_TUNABLES environment variable poses significant risks to numerous Linux distributions,” Saeed Abbasi, product manager at Qualys Threat Research Unit, said.
“This environment variable, intended to fine-tune and optimize applications linked with glibc, is an essential tool for developers and system administrators. Its misuse or exploitation broadly affects system performance, reliability, and security.”
An advisory issued by Red Hat states that a local attacker could exploit the shortcoming to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
It has also provided temporary mitigation that, when enabled, terminates any setuid program invoked with GLIBC_TUNABLES in the environment.
Looney Tunables is the latest addition to a growing list of privilege escalation flaws that have been discovered in Linux in recent years, counting CVE-2021-3156 (Baron Samedit), CVE-2021-3560, CVE-2021-33909 (Sequoia), and CVE-2021-4034 (PwnKit), that could be weaponized to obtain elevated permissions.