{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4911", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-09-12T13:10:32.495Z", "datePublished": "2023-10-03T17:25:08.434Z", "dateUpdated": "2024-11-23T01:12:42.567Z"}, "containers": {"cna": {"title": "Glibc: buffer overflow in ld.so leading to privilege escalation", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges."}], "affected": [{"versions": [{"status": "affected", "version": "2.34", "lessThan": "2.39", "versionType": "custom"}], "packageName": "glibc", "collectionURL": "https://sourceware.org/git/glibc.git", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glibc", "defaultStatus": "affected", "versions": [{"version": "0:2.28-225.el8_8.6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:8::baseos", "cpe:/a:redhat:enterprise_linux:8::crb", "cpe:/a:redhat:enterprise_linux:8::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glibc", "defaultStatus": "affected", "versions": [{"version": "0:2.28-225.el8_8.6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:8::baseos", "cpe:/a:redhat:enterprise_linux:8::crb", "cpe:/a:redhat:enterprise_linux:8::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.6 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glibc", "defaultStatus": "affected", "versions": [{"version": "0:2.28-189.6.el8_6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:rhev_hypervisor:4.4::el8", "cpe:/a:redhat:rhel_eus:8.6::crb", "cpe:/a:redhat:rhel_eus:8.6::appstream", "cpe:/o:redhat:rhel_eus:8.6::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glibc", "defaultStatus": "affected", "versions": [{"version": "0:2.34-60.el9_2.7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::crb", "cpe:/a:redhat:enterprise_linux:9::appstream", "cpe:/o:redhat:enterprise_linux:9::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glibc", "defaultStatus": "affected", "versions": [{"version": "0:2.34-60.el9_2.7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::crb", "cpe:/a:redhat:enterprise_linux:9::appstream", "cpe:/o:redhat:enterprise_linux:9::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.0 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glibc", "defaultStatus": "affected", "versions": [{"version": "0:2.34-28.el9_0.4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:9.0::crb", "cpe:/a:redhat:rhel_eus:9.0::appstream", "cpe:/o:redhat:rhel_eus:9.0::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glibc", "defaultStatus": "affected", "versions": [{"version": "0:2.28-189.6.el8_6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:rhev_hypervisor:4.4::el8", "cpe:/a:redhat:rhel_eus:8.6::crb", "cpe:/a:redhat:rhel_eus:8.6::appstream", "cpe:/o:redhat:rhel_eus:8.6::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "redhat-release-virtualization-host", "defaultStatus": "affected", "versions": [{"version": "0:4.5.3-10.el8ev", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:rhev_hypervisor:4.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "redhat-virtualization-host", "defaultStatus": "affected", "versions": [{"version": "0:4.5.3-202312060823_8.6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:rhev_hypervisor:4.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glibc", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "compat-glibc", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glibc", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:5453", "name": "RHSA-2023:5453", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5454", "name": "RHSA-2023:5454", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5455", "name": "RHSA-2023:5455", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5476", "name": "RHSA-2023:5476", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0033", "name": "RHSA-2024:0033", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-4911", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238352", "name": "RHBZ#2238352", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt"}, {"url": "https://www.qualys.com/cve-2023-4911/"}], "datePublic": "2023-10-03T17:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "Heap-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-122: Heap-based Buffer Overflow", "workarounds": [{"lang": "en", "value": "For customers who cannot update immediately and do not have Secure Boot feature enabled, the issue can be mitigated using the provided SystemTap script with the following steps. When enabled, any setuid program invoked with GLIBC_TUNABLES in the environment will be terminated immediately. To invoke the setuid program, users will then have to unset or clear the GLIBC_TUNABLES envvar, e.g. `GLIBC_TUNABLES= sudo` . \n\nNote that these mitigation steps will need to be repeated if the system is rebooted.\n\n1) Install required systemtap packages and dependencies as per - https://access.redhat.com/solutions/5441\n\n\n2) Create the following systemtap script, and name it stap_block_suid_tunables.stp:\n ~~~\nfunction has_tunable_string:long()\n{\n name = \"GLIBC_TUNABLES\"\n\n mm = @task(task_current())->mm;\n if (mm)\n {\n env_start = @mm(mm)->env_start;\n env_end = @mm(mm)->env_end;\n\n if (env_start != 0 && env_end != 0)\n while (env_end > env_start)\n {\n cur = user_string(env_start, \"\");\n env_name = tokenize(cur, \"=\");\n \n if (env_name == name && tokenize(\"\", \"\") != \"\")\n return 1;\n env_start += strlen (cur) + 1\n }\n }\n\n return 0;\n}\n\nprobe process(\"/lib*/ld*.so*\").function(\"__tunables_init\")\n{\n atsecure = 0;\n /* Skip processing if we can't read __libc_enable_secure, e.g. core dump\n handler (systemd-cgroups-agent and systemd-coredump). */\n try { atsecure = @var(\"__libc_enable_secure\"); }\n catch { printk (4, sprintf (\"CVE-2023-4911: Skipped check: %s (%d)\", execname(), pid())); }\n if (atsecure && has_tunable_string ())\n raise (9);\n}\n~~~\n\n3) Load the systemtap module into the running kernel:\n ~~~\n stap -g -F -m stap_block_suid_tunables stap_block_suid_tunables.stp\n ~~~\n\n4) Ensure the module is loaded:\n ~~~\n lsmod | grep -i stap_block_suid_tunables\nstap_block_suid_tunables 249856 0\n~~~\n\n5) Once the glibc package is updated to the version containing the fix, the systemtap generated kernel module can be removed by running:\n ~~~\n rmmod stap_block_suid_tunables\n ~~~\n\nIf Secure Boot is enabled on a system, the SystemTap module must be signed. An external compiling server can be used to sign the generated kernel module with a key enrolled into the kernel's keyring or starting with SystemTap 4.7 you can sign a module without a compile server. See further information here - https://www.redhat.com/sysadmin/secure-boot-systemtap"}], "timeline": [{"lang": "en", "time": "2023-09-04T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-10-03T17:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Qualys Research Labs for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-23T01:12:42.567Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:44:52.050Z"}, "title": "CVE Program Container", "references": [{"url": "http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/176288/Glibc-Tunables-Privilege-Escalation.html", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2023/Oct/11", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/03/2", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/03/3", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/05/1", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/13/11", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/14/3", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/14/5", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/14/6", "tags": ["x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5453", "name": "RHSA-2023:5453", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5454", "name": "RHSA-2023:5454", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5455", "name": "RHSA-2023:5455", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5476", "name": "RHSA-2023:5476", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0033", "name": "RHSA-2024:0033", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-4911", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238352", "name": "RHBZ#2238352", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202310-03", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231013-0006/", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5514", "tags": ["x_transferred"]}, {"url": "https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt", "tags": ["x_transferred"]}, {"url": "https://www.qualys.com/cve-2023-4911/", "tags": ["x_transferred"]}]}]}}

{}

{"cisaActionDue": "2023-12-12", "cisaExploitAdd": "2023-11-21", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "GNU C Library Buffer Overflow Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*", "matchCriteriaId": "71609239-5262-473E-ACCE-18AE51AB184E", "versionEndExcluding": "2.39", "versionStartIncluding": "2.34", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:codeready_linux_builder_eus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "8BE16CC2-C6B4-4B73-98A1-F28475A92F49", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_arm64_eus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "FB1DF28D-0D84-4E40-8E46-BA0EFD371111", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems_eus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "3C1A0CA2-2BBD-4A7A-B467-F456867D5EC6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian_eus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "845B853C-8F99-4987-AA8E-76078CE6A977", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "6BBD7A51-0590-4DDF-8249-5AFA8D645CB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "BB28F9AF-3D06-4532-B397-96D7E4792503", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "6C3741B8-851F-475D-B428-523F4F722350", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:8.6_aarch64:*:*:*:*:*:*:*", "matchCriteriaId": "37B7CE5C-BFEA-4F96-9759-D511EF189059", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus_s390x:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "B2C0ED62-9DEE-437C-AC01-0173128259DB", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:8.6_ppc64le:*:*:*:*:*:*:*", "matchCriteriaId": "A633E21A-EBAA-41C9-A009-A36BDC762464", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "76C24D94-834A-4E9D-8F73-624AFA99AAA2", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "1272DF03-7674-4BD4-8E64-94004B195448", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:22.04:*:*:*:lts:*:*:*", "matchCriteriaId": "359012F1-2C63-415A-88B8-6726A87830DE", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:*:*:*:*", "matchCriteriaId": "B2E702D7-F8C0-49BF-9FFB-883017076E98", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:13.0:*:*:*:*:*:*:*", "matchCriteriaId": "204FC6CC-9DAC-45FB-8A9F-C9C8EDD29D54", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges."}, {"lang": "es", "value": "Se descubri\u00f3 un desbordamiento del b\u00fafer en el cargador din\u00e1mico ld.so de la librer\u00eda GNU C mientras se procesaba la variable de entorno GLIBC_TUNABLES. Este problema podr\u00eda permitir que un atacante local utilice variables de entorno GLIBC_TUNABLES manipuladas con fines malintencionados al iniciar archivos binarios con permiso SUID para ejecutar c\u00f3digo con privilegios elevados."}], "id": "CVE-2023-4911", "lastModified": "2024-11-21T08:36:14.780", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "[email protected]", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "[email protected]", "type": "Primary"}]}, "published": "2023-10-03T18:15:10.463", "references": [{"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5453"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5454"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5455"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5476"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0033"}, {"source": "[email protected]", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-4911"}, {"source": "[email protected]", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238352"}, {"source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://www.qualys.com/cve-2023-4911/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://packetstormsecurity.com/files/176288/Glibc-Tunables-Privilege-Escalation.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://seclists.org/fulldisclosure/2023/Oct/11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2023/10/03/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2023/10/03/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2023/10/05/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2023/10/13/11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2023/10/14/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2023/10/14/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2023/10/14/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5453"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5454"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5455"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5476"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0033"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mitigation", "Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-4911"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238352"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.fedoraproject.org/archives/list/[email protected]/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.gentoo.org/glsa/202310-03"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20231013-0006/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://www.debian.org/security/2023/dsa-5514"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.qualys.com/cve-2023-4911/"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "[email protected]", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "[email protected]", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Qualys Research Labs for reporting this issue.", "affected_release": [{"advisory": "RHSA-2023:5455", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "glibc-0:2.28-225.el8_8.6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5455", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "glibc-0:2.28-225.el8_8.6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5476", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "glibc-0:2.28-189.6.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5453", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "glibc-0:2.34-60.el9_2.7", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5453", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "glibc-0:2.34-60.el9_2.7", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5454", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "glibc-0:2.34-28.el9_0.4", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5476", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "glibc-0:2.28-189.6.el8_6", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2024:0033", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "redhat-release-virtualization-host-0:4.5.3-10.el8ev", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2024-01-03T00:00:00Z"}, {"advisory": "RHSA-2024:0033", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "redhat-virtualization-host-0:4.5.3-202312060823_8.6", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2024-01-03T00:00:00Z"}], "bugzilla": {"description": "glibc: buffer overflow in ld.so leading to privilege escalation", "id": "2238352", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238352"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-122", "details": ["A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.", "A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges."], "mitigation": {"lang": "en:us", "value": "For customers who cannot update immediately and do not have Secure Boot feature enabled, the issue can be mitigated using the provided SystemTap script with the following steps. When enabled, any setuid program invoked with GLIBC_TUNABLES in the environment will be terminated immediately. To invoke the setuid program, users will then have to unset or clear the GLIBC_TUNABLES envvar, e.g. `GLIBC_TUNABLES= sudo` . \nNote that these mitigation steps will need to be repeated if the system is rebooted.\n1) Install required systemtap packages and dependencies as per - https://access.redhat.com/solutions/5441\n2) Create the following systemtap script, and name it stap_block_suid_tunables.stp:\n~~~\nfunction has_tunable_string:long()\n{\nname = \"GLIBC_TUNABLES\"\nmm = @task(task_current())->mm;\nif (mm)\n{\nenv_start = @mm(mm)->env_start;\nenv_end = @mm(mm)->env_end;\nif (env_start != 0 && env_end != 0)\nwhile (env_end > env_start)\n{\ncur = user_string(env_start, \"\");\nenv_name = tokenize(cur, \"=\");\nif (env_name == name && tokenize(\"\", \"\") != \"\")\nreturn 1;\nenv_start += strlen (cur) + 1\n}\n}\nreturn 0;\n}\nprobe process(\"/lib*/ld*.so*\").function(\"__tunables_init\")\n{\natsecure = 0;\n/* Skip processing if we can't read __libc_enable_secure, e.g. core dump\nhandler (systemd-cgroups-agent and systemd-coredump). */\ntry { atsecure = @var(\"__libc_enable_secure\"); }\ncatch { printk (4, sprintf (\"CVE-2023-4911: Skipped check: %s (%d)\", execname(), pid())); }\nif (atsecure && has_tunable_string ())\nraise (9);\n}\n~~~\n3) Load the systemtap module into the running kernel:\n~~~\nstap -g -F -m stap_block_suid_tunables stap_block_suid_tunables.stp\n~~~\n4) Ensure the module is loaded:\n~~~\nlsmod | grep -i stap_block_suid_tunables\nstap_block_suid_tunables 249856 0\n~~~\n5) Once the glibc package is updated to the version containing the fix, the systemtap generated kernel module can be removed by running:\n~~~\nrmmod stap_block_suid_tunables\n~~~\nIf Secure Boot is enabled on a system, the SystemTap module must be signed. An external compiling server can be used to sign the generated kernel module with a key enrolled into the kernel's keyring or starting with SystemTap 4.7 you can sign a module without a compile server. See further information here - https://www.redhat.com/sysadmin/secure-boot-systemtap"}, "name": "CVE-2023-4911", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "compat-glibc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2023-10-03T17:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-4911\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-4911\nhttps://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt\nhttps://www.qualys.com/cve-2023-4911/\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog"], "statement": "This vulnerability was introduced in glibc version 2.34. RHEL-8 ships glibc 2.28, which is not originally affected by this vulnerability. However, the commit that introduced this vulnerability was backported to RHEL-8.5, making this version and onward vulnerable. RHEL-8.4 and older are not affected by this vulnerability.", "threat_severity": "Important", "upstream_fix": "glibc 2.39"}