A local privilege escalation flaw within the GNU C (glibc) has been disclosed, opening up the possibility of cyberattacks on endpoints with the library installed - quite a large pool, as the library enables critical kernel features across several major Linux distributions.
Per BleepingComputer, the flaw, disclosed as CVE-2023-6246, was found in glibc’s __vsyslog_internal() function, called by the syslog and vyslog functions for logging messages to the system.
The flaw allows, via a buffer overflow, unauthorised users to gain root access - full read, write and execute permissions - across a distribution instance, which is, to use the correct computing term, terrifying.
The technical stuff
In its disclosure published on January 30 2024, researchers from security company Qualys wrote that even up to date Fedora installations were exploitable. That’s concerning, but disclosure should expedite a fix.
Making things worse is the fact that, per the disclosure again this vulnerability was backported to 2.36 via another code commit fixing a different flaw in __vsyslog_internal(), stemming from an uninitialized memory read, tracked as CVE-2022-39046.
Buffer overflow, or more data being written to a part of a computer program than it has allocated, allowing for the execution of arbitrary, potentially nefarious code, has always been a serious problem for the decades-old glibc library, to the point where Qualys found that a very similar bug in its code has occurred before, in 1997.
The common solution is to add functions to code that check memory bounds, so that, if an allocation to a buffer would cause an overflow, it’s refused.
The implications
Even if you’re not a programmer, this news should trouble anyone who’s given into the hype and is now running Debian (versions 12 to 13) or a Debian-based Linux distribution, which includes Raspberry Pi OS, as well as other major Linux variants like Fedora (37 to 39) and Ubuntu (23.04 and 23.10) and their offshoots, including the established and popular Linux Mint.
Qualys also pointed out that ‘other distributions are probably also exploitable’, so even though we’ve named some of the popular distributions affected, you may wish to investigate further.
The one saving grace from all of this is that Qualys don’t believe the exploit can be triggered remotely, writing in its disclosure that “to the best of our knowledge, this vulnerability cannot be triggered remotely in any likely scenario (because it requires an argv[0], or an openlog() ident argument, longer than 1024 bytes to be triggered)”.