Buffer Overflow in GNU C Library's Dynamic Loader ld.so Could Allow Local Attacker to Execute Code with Elevated Privileges
CVE-2023-4911

7.8HIGH

Key Information:

Vendor
Red Hat
Status
glibc
Red Hat Enterprise Linux 8
Red Hat Enterprise Linux 8.6 Extended Update Support
Red Hat Enterprise Linux 9
Vendor
CVE Published:
3 October 2023

Badges

💰 Ransomware👾 Exploit Exists🟡 Public PoC🟣 EPSS 20%🦅 CISA Reported📰 News Worthy

Summary

The first article discusses two different critical vulnerabilities in the GNU C Library (glibc) that allow unprivileged attackers to gain root access on multiple major Linux distributions. The vulnerabilities are tracked as CVE-2023-4911 and CVE-2023-6246 and both can lead to local privilege escalation. CVE-2023-4911 was already exploited by ransomware groups to steal cloud service provider (CSP) credentials in Kinsing malware attacks. The second vulnerability, CVE-2023-6246, was found in glibc's __vsyslog_internal() function and allows any unprivileged user to escalate privileges to full root access on default installations of various Linux distributions. The impact of these vulnerabilities is significant due to the widespread use of the affected library, and organizations are urged to ensure their systems are secure against these vulnerabilities.

CISA Reported

CISA provides regional cyber and physical services to support security and resilience across the United States. CISA monitor the most dangerious vulnerabilities and have identifed as being exploited but is not known by the CISA to be used in ransomware campaigns. This is subject to change at pace as recent news articles suggest the vulnerability is being used by ransomware groups.

The CISA's recommendation is: Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2023-4911
Created by leesh3288

CVE-2023-4911
Created by RickdeJager

LooneyPwner
Created by chaudharyarjun

News Articles

favicon imageBleepingComputer

New Linux glibc flaw lets attackers get root on major distros

​Unprivileged attackers can get root access on multiple major Linux distributions in default configurations by exploiting a newly disclosed local privilege escalation (LPE) vulnerability in the GNU C Library (glibc).

11 months ago

favicon imageHelp Net Security

Looney Tunables bug exploited for cryptojacking - Help Net Security

Kinsing threat actors have been exploiting the recently disclosed Looney Tunables vulnerability to target cloud-native environments.

1 year ago

favicon imageBleepingComputer

Hackers exploit Looney Tunables Linux bug, steal cloud creds

The operators of the Kinsing malware are targeting cloud environments with systems vulnerable to

1 year ago

References

http://packetstormsecurity.com/files/174986/glibc-ld.so-L...
http://packetstormsecurity.com/files/176288/Glibc-Tunable...
http://seclists.org/fulldisclosure/2023/Oct/11

EPSS Score

20% chance of being exploited in the next 30 days.

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • 🟡

    Public PoC available

  • 🦅

    CISA Reported

  • 💰

    Used in Ransomware

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre DatabaseCISA Database15 Proof of Concept(s)10 News Article(s)

Credit

Red Hat would like to thank Qualys Research Labs for reporting this issue.
.