Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-4911

Опубликовано: 03 окт. 2023
Источник: redhat
CVSS3: 7.8

Описание

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

Отчет

This vulnerability was introduced in glibc version 2.34. RHEL-8 ships glibc 2.28, which is not originally affected by this vulnerability. However, the commit that introduced this vulnerability was backported to RHEL-8.5, making this version and onward vulnerable. RHEL-8.4 and older are not affected by this vulnerability.

Меры по смягчению последствий

For customers who cannot update immediately and do not have Secure Boot feature enabled, the issue can be mitigated using the provided SystemTap script with the following steps. When enabled, any setuid program invoked with GLIBC_TUNABLES in the environment will be terminated immediately. To invoke the setuid program, users will then have to unset or clear the GLIBC_TUNABLES envvar, e.g. GLIBC_TUNABLES= sudo . Note that these mitigation steps will need to be repeated if the system is rebooted.

  1. Install required systemtap packages and dependencies as per - https://access.redhat.com/solutions/5441
  2. Create the following systemtap script, and name it stap_block_suid_tunables.stp:
function has_tunable_string:long() { name = "GLIBC_TUNABLES" mm = @task(task_current())->mm; if (mm) { env_start = @mm(mm)->env_start; env_end = @mm(mm)->env_end; if (env_start != 0 && env_end != 0) while (env_end > env_start) { cur = user_string(env_start, ""); env_name = tokenize(cur, "="); if (env_name == name && tokenize("", "") != "") return 1; env_start += strlen (cur) + 1 } } return 0; } probe process("/lib*/ld*.so*").function("__tunables_init") { atsecure = 0; /* Skip processing if we can't read __libc_enable_secure, e.g. core dump handler (systemd-cgroups-agent and systemd-coredump). */ try { atsecure = @var("__libc_enable_secure"); } catch { printk (4, sprintf ("CVE-2023-4911: Skipped check: %s (%d)", execname(), pid())); } if (atsecure && has_tunable_string ()) raise (9); }
  1. Load the systemtap module into the running kernel:
stap -g -F -m stap_block_suid_tunables stap_block_suid_tunables.stp
  1. Ensure the module is loaded:
lsmod | grep -i stap_block_suid_tunables stap_block_suid_tunables 249856 0
  1. Once the glibc package is updated to the version containing the fix, the systemtap generated kernel module can be removed by running:
rmmod stap_block_suid_tunables

If Secure Boot is enabled on a system, the SystemTap module must be signed. An external compiling server can be used to sign the generated kernel module with a key enrolled into the kernel's keyring or starting with SystemTap 4.7 you can sign a module without a compile server. See further information here - https://www.redhat.com/sysadmin/secure-boot-systemtap

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Red Hat Enterprise Linux 6glibcNot affected
Red Hat Enterprise Linux 7compat-glibcNot affected
Red Hat Enterprise Linux 7glibcNot affected
Red Hat Enterprise Linux 8glibcFixedRHSA-2023:545505.10.2023
Red Hat Enterprise Linux 8glibcFixedRHSA-2023:545505.10.2023
Red Hat Enterprise Linux 8.6 Extended Update SupportglibcFixedRHSA-2023:547605.10.2023
Red Hat Enterprise Linux 9glibcFixedRHBA-2024:241330.04.2024
Red Hat Enterprise Linux 9glibcFixedRHSA-2023:545305.10.2023
Red Hat Enterprise Linux 9glibcFixedRHBA-2024:241330.04.2024
Red Hat Enterprise Linux 9glibcFixedRHSA-2023:545305.10.2023

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-122
https://bugzilla.redhat.com/show_bug.cgi?id=2238352glibc: buffer overflow in ld.so leading to privilege escalation

7.8 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2023-4911

CVSS3: 7.8
ubuntu
больше 1 года назад

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

nvd логотип

CVE-2023-4911

CVSS3: 7.8
nvd
больше 1 года назад

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

msrc логотип

CVE-2023-4911

CVSS3: 7.8
msrc
больше 1 года назад

Описание отсутствует

debian логотип

CVE-2023-4911

CVSS3: 7.8
debian
больше 1 года назад

A buffer overflow was discovered in the GNU C Library's dynamic loader ...

github логотип

GHSA-m77w-6vjw-wh2f

CVSS3: 7.8
github
больше 1 года назад

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

7.8 High

CVSS3