New Glibc Library Flaw Grants Root Access to Major Linux Distros

A high severity vulnerability has been uncovered in the GNU C Library (glibc) that could allow local attackers to gain full root privileges on multiple Linux distributions.

Disclosed as CVE-2023-6246, the issue is a heap-based buffer overflow in glibc's __vsyslog_internal() function, called by the commonly used syslog() and vsyslog() functions for logging messages. The flaw was introduced accidentally in glibc version 2.37 released in August 2022 and later backported to version 2.36.

According to researchers at Qualys who discovered the bug, it poses a major threat as it can enable unprivileged users to escalate privileges to root through crafted inputs to applications using the affected logging functions. While specific conditions are needed to exploit it, the impact is magnified due to glibc's widespread use.

The cybersecurity firm confirmed Debian 12 and 13, Ubuntu 23.04 and 23.10, and Fedora 37 to 39 are vulnerable in default configurations. Other distributions are also likely affected.

In further analysis of glibc, Qualys found two other less severe flaws in __vsyslog_internal() (CVE-2023-6779 and CVE-2023-6780) and a third vulnerability leading to memory corruption in the qsort() function.

The researchers said these issues highlight the critical importance of strict security practices in developing widely used core software libraries like glibc.

Previous Flaws Enabled Linux Root Access

This is not the first time in recent years that vulnerabilities have been found in glibc or other Linux components that can provide full system control.

Qualys researchers previously discovered flaws dubbed "Looney Tunables" (CVE-2023-4911) in glibc's dynamic loader, "PwnKit" in Polkit, and "Sequoia" in the Linux kernel's filesystem layer. Another weakness resided in the Sudo program called "Baron Samedit".

Within days of disclosing Looney Tunables, proof-of-concept exploits emerged, followed by active exploitation by threat groups to steal cloud provider credentials a month later. The DHS Cybersecurity and Infrastructure Security Agency (CISA) ordered federal agencies to apply mitigations due to significant risks.

Impact of the Latest Glibc Vulnerability

The impact of CVE-2023-6246 is magnified because glibc is used in the vast majority of Linux distributions and OS versions. Attackers who gain low-level access through phishing, exploits, or by physical access can potentially leverage the flaw to fully compromise systems.

However, exploiting the bug requires specific conditions like an unusually long program name or username. Qualys notes that while exploitation may be complex, the widespread presence of the vulnerable code means the flaw should be treated as high-risk.

Linux users and systems administrators are recommended to update glibc packages to patched versions containing fixes for CVE-2023-6246 and other resolved issues. Major distros like Ubuntu, Debian, Fedora, and SUSE Linux have issued advisories and updates.

The glibc weakness further highlights the need for robust vulnerability and patch management programs to promptly identify and remediate critical flaws, especially in system-level software. Proactively monitoring Linux packages and libraries for new issues is essential to prevent adversaries from gaining access and maintaining persistence.