CI Operators:
A vulnerability in glibc's ld.so dynamic loader has been discovered [1]. Dubbed "Looney Tunables" [2] due to the use of the GLIBC_TUNABLES environment variable, the vulnerability enables a local user to become root. The vulnerability has a CVSSv3 score of 7.8 and is tracked as CVE-2023-4911 [3].
Impact:
A local attacker could exploit a vulnerability in glibc's ld.so library to use a malicious GLIBC_TUNABLES environment variable when launching binaries with SUID permission to execute code with elevated privileges.
Affected Software:
glibc in RedHat 8 & 9 [4] , Debian bullseye & bookworm [5], Ubuntu jammy & lunar [6], and other Linux distributions which rely on glibc. Note that Alpine Linux is not affected since it uses the musl libc library instead of glibc.
Recommendation:
Update glibc for your distribution when available. RedHat has provided a temporary mitigation [4] which terminates any setuid program invoked with GLIBC_TUNABLES in the environment.
References:
[1] https://seclists.org/oss-sec/2023/q4/18
[2] https://thehackernews.com/2023/10/looney-tunables-new-linux-flaw-enables.html
[3] https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4911
[4] https://access.redhat.com/security/cve/cve-2023-4911
[5] https://security-tracker.debian.org/tracker/CVE-2023-4911
[6] https://ubuntu.com/security/CVE-2023-4911
How Trusted CI can help:
The potential impact of any vulnerability, and therefore the appropriate response, depends in part on operational conditions that are unique to each cyberinfrastructure deployment. Trusted CI cannot provide a one-size-fits-all severity rating and response recommendation for all NSF cyberinfrastructure. Please contact us (https://trustedci.org/help/) if you need assistance with assessing the potential impact of this vulnerability in your environment and/or you have additional information about this issue that should be shared with the community.