Unprivileged attackers can get root entry on a number of main Linux distributions in default configurations by exploiting a newly disclosed native privilege escalation (LPE) vulnerability within the GNU C Library (glibc).
Tracked as CVE-2023-6246, this safety flaw was present in glibc’s __vsyslog_internal() perform, referred to as by the widely-used syslog and vsyslog features for writing messages to the system message logger.
The bug is because of a heap-based buffer overflow weak point by chance launched in glibc 2.37 in August 2022 and later backported to glibc 2.36 when addressing a much less extreme vulnerability tracked as CVE-2022-39046.
“The buffer overflow concern poses a major menace because it might enable native privilege escalation, enabling an unprivileged person to achieve full root entry by way of crafted inputs to functions that make use of these logging features,” Qualys safety researchers stated.
“Though the vulnerability requires particular situations to be exploited (corresponding to an unusually lengthy argv[0] or openlog() ident argument), its affect is critical as a result of widespread use of the affected library.”
Impacts Debian, Ubuntu, and Fedora programs
Whereas testing their findings, Qualys confirmed that Debian 12 and 13, Ubuntu 23.04 and 23.10, and Fedora 37 to 39 had been all susceptible to CVE-2023-6246 exploits, permitting any unprivileged person to escalate privileges to full root entry on default installations.
Though their assessments had been restricted to a handful of distros, the researchers added that “different distributions are most likely additionally exploitable.”
Whereas analyzing glibc for different potential safety points, the researchers additionally discovered three different vulnerabilities, two of them—more durable to use— within the __vsyslog_internal() perform (CVE-2023-6779 and CVE-2023-6780) and a 3rd one (a reminiscence corruption concern nonetheless ready for a CVEID) in glibc’s qsort () perform.
“These flaws spotlight the vital want for strict safety measures in software program improvement, particularly for core libraries broadly used throughout many programs and functions,” stated Saeed Abbasi, Product Supervisor at Qualys’ Risk Analysis Unit.
Different Linux root escalation flaws discovered by Qualys
Over the previous few years, researchers at Qualys have discovered a number of different Linux safety vulnerabilities that may let attackers achieve full management over unpatched Linux programs, even in default configurations.
Vulnerabilities they found embrace a flaw in glibc’s ld.so dynamic loader (Looney Tunables), one in Polkit’s pkexec element (dubbed PwnKit), one other within the Kernel’s filesystem layer (dubbed Sequoia), and within the Sudo Unix program (aka Baron Samedit).
Days after the Looney Tunables flaw (CVE-2023-4911) was disclosed, proof-of-concept (PoC) exploits had been printed on-line, and menace actors began exploiting it one month later to steal cloud service supplier (CSP) credentials in Kinsing malware assaults.
The Kinsing gang is thought for deploying cryptocurrency mining malware on compromised cloud-based programs, together with Kubernetes, Docker APIs, Redis, and Jenkins servers.
CISA later ordered U.S. federal companies to safe their Linux programs towards CVE-2023-4911 assaults after including it to its catalog of actively exploited bugs and tagging it as posing “important dangers to the federal enterprise.”
