ALERT: Vulnerability in GNU C Library on many Linux Distributions

Friday, October 6, 2023

This alert is intended for U-M IT staff who are responsible for university devices using Linux distributions, or individuals using Linux distributions. It is especially important for those using Linux for university business.

Summary

A vulnerability (CVE-2023-4911) in the GNU C Library (i.e., glibc) on many popular Linux distributions has been discovered. Successful exploit of this vulnerability can give a malicious actor full root privileges. Proof of concept (POC) exploit code is publicly available. Linux systems should be patched as soon as possible.

Problem

The GNU C Library’s dynamic loader has a crucial role in many system functionalities, including preparing and running programs. It runs with elevated privileges, making it especially high priority to address.

Although there currently is no confirmation of exploits in the wild, this exploit could potentially enable attackers to gain root privileges on many popular Linux distributions, and is of heightened concern because proof-of-concept-code is publicly available.

Threats

POC exploit code is available publicly, and while there are no reports yet, the vulnerability could be actively exploited in the wild.

Affected Versions

This vulnerability (CVE-2023-4911) has been fixed in upstream glibc.

Some distributions like Alpine Linux are exempt due to their use of musl libc instead of glibc, but many popular distributions are potentially vulnerable in the near future.

Action Items

Because  of this vulnerability, the need for immediate action supersedes the remediation timeframes in Vulnerability Management (DS-21).

Linux distribution vendors are urging users to upgrade to a non-vulnerable version of the library: such as Ubuntu, RedHat, Debian, Fedora, Gentoo.

Technical Details

  • A buffer overflow was discovered in the GNU C Library's dynamic loader’s processing of the GLIBC_TUNABLES environment variable.
  • An attacker could use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

How We Protect U-M

ITS Information Assurance (IA) monitors a number of sources for information about new vulnerabilities and threats and provides up-to-date information to the university community.

IA performs regular vulnerability scans of university networks to identify vulnerable devices and request remediation and provides vulnerability management guidance to the university.

Information for Users

All managed MiServer Linux servers will be patched without need for requests. ITS will communicate again if the schedule deviates from what was previously communicated.

Questions, Concerns, Reports

Please contact ITS Information Assurance through the ITS Service Center.