A severe vulnerability affecting potentially millions of machines lets an attacker elevate limited local privileges to full root on numerous flavours of Linux including default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13, says cybersecurity firm Qualys.
The vulnerability, allocated CVE-2023-4911, affects a widely used feature in the GNU C Library (glibc) called “Tunables” that allows application authors and distribution maintainers to alter the runtime library behaviour to match their workload. It was introduced in April 2021 (glibc 2.34) by commit 2ed18c, the security company said in an October 3 report.
It has now been fixed in upstream glibc, but many downstream systems users will need to update as patches/updates become available.
The bug lets a local attacker use maliciously crafted glibc_tunables environment variables when launching binaries with SUID permission to execute code as root. Red Hat Enterprise Linux (RHEL) 8 and 9 are also affected, as is Red Hat Virtualization 4. (Red Hat guidance is here.)