Unprivileged attackers can get root access on multiple major Linux distributions in default configurations by exploiting a newly disclosed local privilege escalation (LPE) vulnerability in the GNU C Library (glibc).
Tracked as CVE-2023-6246, this security flaw was found in glibc's __vsyslog_internal() function, called by the widely-used syslog and vsyslog functions for writing messages to the system message logger.
The bug is due to a heap-based buffer overflow weakness accidentally introduced in glibc 2.37 in August 2022 and later backported to glibc 2.36 when addressing a less severe vulnerability tracked as CVE-2022-39046.
"The buffer overflow issue poses a significant threat as it could allow local privilege escalation, enabling an unprivileged user to gain full root access through crafted inputs to applications that employ these logging functions," Qualys security researchers said.
"Although the vulnerability requires specific conditions to be exploited (such as an unusually long argv[0] or openlog() ident argument), its impact is significant due to the widespread use of the affected library."
Impacts Debian, Ubuntu, and Fedora systems
While testing their findings, Qualys confirmed that Debian 12 and 13, Ubuntu 23.04 and 23.10, and Fedora 37 to 39 were all vulnerable to CVE-2023-6246 exploits, allowing any unprivileged user to escalate privileges to full root access on default installations.
Although their tests were limited to a handful of distros, the researchers added that "other distributions are probably also exploitable."
While analyzing glibc for other potential security issues, the researchers also found three other vulnerabilities, two of them—harder to exploit—in the __vsyslog_internal() function (CVE-2023-6779 and CVE-2023-6780) and a third one (a memory corruption issue still waiting for a CVEID) in glibc's qsort () function.
"The recent discovery of these vulnerabilities is not just a technical concern but a matter of widespread security implications," said Saeed Abbasi, Product Manager at Qualys' Threat Research Unit.
"These flaws highlight the critical need for strict security measures in software development, especially for core libraries widely used across many systems and applications."
Other Linux root escalation flaws found by Qualys
Over the past few years, researchers at Qualys have found several other Linux security vulnerabilities that can let attackers gain complete control over unpatched Linux systems, even in default configurations.
Vulnerabilities they discovered include a flaw in glibc's ld.so dynamic loader (Looney Tunables), one in Polkit's pkexec component (dubbed PwnKit), another in the Kernel's filesystem layer (dubbed Sequoia), and in the Sudo Unix program (aka Baron Samedit).
Days after the Looney Tunables flaw (CVE-2023-4911) was disclosed, proof-of-concept (PoC) exploits were published online, and threat actors started exploiting it one month later to steal cloud service provider (CSP) credentials in Kinsing malware attacks.
The Kinsing gang is known for deploying cryptocurrency mining malware on compromised cloud-based systems, including Kubernetes, Docker APIs, Redis, and Jenkins servers.
CISA later ordered U.S. federal agencies to secure their Linux systems against CVE-2023-4911 attacks after adding it to its catalog of actively exploited bugs and tagging it as posing "significant risks to the federal enterprise."
Comments
Elastoer - 9 months ago
Isn't the whole idea of Open Source, hat's so many people are looking at the code base at any given time, that critical flaws like this are not supposed to happen?
wpontius - 9 months ago
Actually it has been shown that open source does not increase the chances of finding security issues or problems, nor is it more secure than closed source.
electrolite - 9 months ago
Qualys test Debian 12 and 13. What about Debian 11? That has a sizable install base whereas Debian 13 is mostly the 12 codebase since 12 was officially released just last year.
B4r3J4V3t - 9 months ago
@Elastoer
I sincerely hope You are joking. But in case You are not, the answer to Your "question" is:
NO.
There are plenty of reasons behind Open Source, and the thoughts regarding it being "more secure than closed source" is merely one of them. And my guess is that it's normally far from the primary motivation if it's even considered at all.
@wpointius.I've seen people claiming this "both ways" but I haven't seen (read) any proper and conclusive investigation. But I would be very interested if You could point me to any such.
Best regards.