CVE-2023-4911 - Vulnerability Details

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is in the KEV database since Nov. 21, 2023.

Exploitation Active

Automatable no

Technical Impact Total

Vendors	Products
Canonical	Ubuntu Linux
Debian	Debian Linux
Fedoraproject	Fedora
Gnu	Glibc
Netapp	H300s H300s Firmware H410c H410c Firmware H410s H410s Firmware H500s H500s Firmware H700s H700s Firmware Ontap Select Deploy Administration Utility
Redhat	Codeready Linux Builder Codeready Linux Builder Eus Codeready Linux Builder For Arm64 Codeready Linux Builder For Arm64 Eus Codeready Linux Builder For Ibm Z Systems Codeready Linux Builder For Ibm Z Systems Eus Codeready Linux Builder For Power Little Endian Codeready Linux Builder For Power Little Endian Eus Enterprise Linux Enterprise Linux Eus Enterprise Linux For Arm 64 Enterprise Linux For Arm 64 Eus Enterprise Linux For Ibm Z Systems Enterprise Linux For Ibm Z Systems Eus Enterprise Linux For Ibm Z Systems Eus S390x Enterprise Linux For Power Big Endian Eus Enterprise Linux For Power Little Endian Enterprise Linux For Power Little Endian Eus Enterprise Linux Server Aus Enterprise Linux Server For Power Little Endian Update Services For Sap Solutions Enterprise Linux Server Tus Rhel Eus Rhev Hypervisor Virtualization Virtualization Host

Configuration 1 [-]

cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*

Configuration 2 [-]

OR	cpe:2.3:o:fedoraproject:fedora:37:::::::*
	cpe:2.3:o:fedoraproject:fedora:38:::::::*
	cpe:2.3:o:fedoraproject:fedora:39:::::::*

Configuration 3 [-]

OR	cpe:2.3:a:redhat:codeready_linux_builder:9.0:::::::*
	cpe:2.3:a:redhat:codeready_linux_builder_eus:8.6:::::::*
	cpe:2.3:a:redhat:codeready_linux_builder_eus:9.2:::::::*
	cpe:2.3:a:redhat:codeready_linux_builder_eus:9.4:::::::*
	cpe:2.3:a:redhat:codeready_linux_builder_for_arm64:9.0_aarch64:::::::*
	cpe:2.3:a:redhat:codeready_linux_builder_for_arm64_eus:8.6:::::::*
	cpe:2.3:a:redhat:codeready_linux_builder_for_arm64_eus:9.2_aarch64:::::::*
	cpe:2.3:a:redhat:codeready_linux_builder_for_arm64_eus:9.4_aarch64:::::::*
	cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems:9.0_s390x:::::::*
	cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems_eus:8.6:::::::*
	cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems_eus:9.2_s390x:::::::*
	cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems_eus:9.4_s390x:::::::*
	cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian:9.0_ppc64le:::::::*
	cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian_eus:8.6:::::::*
	cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian_eus:9.2_ppc64le:::::::*
	cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian_eus:9.4_ppc64le:::::::*
	cpe:2.3:a:redhat:virtualization:4.0:::::::*
	cpe:2.3:a:redhat:virtualization_host:4.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:8.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux:9.0:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:8.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:9.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_eus:9.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.0_aarch64:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:8.6_aarch64:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.2_aarch64:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.4_aarch64:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0_s390x:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.2_s390x:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.4_s390x:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus_s390x:8.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:8.6_ppc64le:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.0_ppc64le:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.2_ppc64le:::::::*
	cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.4_ppc64le:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:9.2:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_aus:9.4:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.2_ppc64le:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.4_ppc64le:::::::*
	cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:::::::*

Configuration 4 [-]

OR	cpe:2.3:o:canonical:ubuntu_linux:22.04::::lts:::
	cpe:2.3:o:canonical:ubuntu_linux:23.04:::::::*
	cpe:2.3:o:debian:debian_linux:11.0:::::::*
	cpe:2.3:o:debian:debian_linux:12.0:::::::*

Configuration 5 [-]

AND

cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND

cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND

cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND

cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND

cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*

cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*

Configuration 10 [-]

cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*

Package	CPE	Advisory	Released Date
Red Hat Enterprise Linux 8
glibc-0:2.28-225.el8_8.6	cpe:/a:redhat:enterprise_linux:8	RHSA-2023:5455	2023-10-05T00:00:00Z
glibc-0:2.28-225.el8_8.6	cpe:/o:redhat:enterprise_linux:8	RHSA-2023:5455	2023-10-05T00:00:00Z
Red Hat Enterprise Linux 8.6 Extended Update Support
glibc-0:2.28-189.6.el8_6	cpe:/a:redhat:rhel_eus:8.6	RHSA-2023:5476	2023-10-05T00:00:00Z
Red Hat Enterprise Linux 9
glibc-0:2.34-60.el9_2.7	cpe:/a:redhat:enterprise_linux:9	RHSA-2023:5453	2023-10-05T00:00:00Z
glibc-0:2.34-60.el9_2.7	cpe:/o:redhat:enterprise_linux:9	RHSA-2023:5453	2023-10-05T00:00:00Z
Red Hat Enterprise Linux 9.0 Extended Update Support
glibc-0:2.34-28.el9_0.4	cpe:/a:redhat:rhel_eus:9.0	RHSA-2023:5454	2023-10-05T00:00:00Z
Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
glibc-0:2.28-189.6.el8_6	cpe:/o:redhat:rhev_hypervisor:4.4::el8	RHSA-2023:5476	2023-10-05T00:00:00Z
redhat-release-virtualization-host-0:4.5.3-10.el8ev	cpe:/o:redhat:rhev_hypervisor:4.4::el8	RHSA-2024:0033	2024-01-03T00:00:00Z
redhat-virtualization-host-0:4.5.3-202312060823_8.6	cpe:/o:redhat:rhev_hypervisor:4.4::el8	RHSA-2024:0033	2024-01-03T00:00:00Z

References

Link	Providers
http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html
http://packetstormsecurity.com/files/176288/Glibc-Tunables-Privilege-Escalation.html
http://seclists.org/fulldisclosure/2023/Oct/11
http://www.openwall.com/lists/oss-security/2023/10/03/2
http://www.openwall.com/lists/oss-security/2023/10/03/3
http://www.openwall.com/lists/oss-security/2023/10/05/1
http://www.openwall.com/lists/oss-security/2023/10/13/11
http://www.openwall.com/lists/oss-security/2023/10/14/3
http://www.openwall.com/lists/oss-security/2023/10/14/5
http://www.openwall.com/lists/oss-security/2023/10/14/6
https://access.redhat.com/errata/RHSA-2023:5453
https://access.redhat.com/errata/RHSA-2023:5454
https://access.redhat.com/errata/RHSA-2023:5455
https://access.redhat.com/errata/RHSA-2023:5476
https://access.redhat.com/errata/RHSA-2024:0033
https://access.redhat.com/security/cve/CVE-2023-4911
https://bugzilla.redhat.com/show_bug.cgi?id=2238352
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/
https://nvd.nist.gov/vuln/detail/CVE-2023-4911
https://security.gentoo.org/glsa/202310-03
https://security.netapp.com/advisory/ntap-20231013-0006/
https://www.cisa.gov/known-exploited-vulnerabilities-catalog
https://www.cve.org/CVERecord?id=CVE-2023-4911
https://www.debian.org/security/2023/dsa-5514
https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt
https://www.qualys.com/cve-2023-4911/

History

Tue, 28 Jan 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		kev `{'dateAdded': '2023-11-21'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'Active', 'Technical Impact': 'Total'}, 'version': '2.0.3'}`

Mon, 27 Jan 2025 22:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Netapp Netapp h300s Netapp h300s Firmware Netapp h410c Netapp h410c Firmware Netapp h410s Netapp h410s Firmware Netapp h500s Netapp h500s Firmware Netapp h700s Netapp h700s Firmware Netapp ontap Select Deploy Administration Utility Redhat codeready Linux Builder Redhat codeready Linux Builder For Arm64 Redhat codeready Linux Builder For Ibm Z Systems Redhat codeready Linux Builder For Power Little Endian Redhat enterprise Linux For Arm 64 Redhat enterprise Linux For Ibm Z Systems Redhat enterprise Linux For Ibm Z Systems Eus Redhat enterprise Linux For Power Little Endian Redhat enterprise Linux For Power Little Endian Eus Redhat enterprise Linux Server For Power Little Endian Update Services For Sap Solutions
CPEs	cpe:2.3:o:debian:debian_linux:13.0:::::::*	cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:::::::* cpe:2.3:a:redhat:codeready_linux_builder:9.0:::::::* cpe:2.3:a:redhat:codeready_linux_builder_eus:9.2:::::::* cpe:2.3:a:redhat:codeready_linux_builder_eus:9.4:::::::* cpe:2.3:a:redhat:codeready_linux_builder_for_arm64:9.0_aarch64:::::::* cpe:2.3:a:redhat:codeready_linux_builder_for_arm64_eus:9.2_aarch64:::::::* cpe:2.3:a:redhat:codeready_linux_builder_for_arm64_eus:9.4_aarch64:::::::* cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems:9.0_s390x:::::::* cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems_eus:9.2_s390x:::::::* cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems_eus:9.4_s390x:::::::* cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian:9.0_ppc64le:::::::* cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian_eus:9.2_ppc64le:::::::* cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian_eus:9.4_ppc64le:::::::* cpe:2.3:h:netapp:h300s:-:::::::* cpe:2.3:h:netapp:h410c:-:::::::* cpe:2.3:h:netapp:h410s:-:::::::* cpe:2.3:h:netapp:h500s:-:::::::* cpe:2.3:h:netapp:h700s:-:::::::* cpe:2.3:o:debian:debian_linux:11.0:::::::* cpe:2.3:o:netapp:h300s_firmware:-:::::::* cpe:2.3:o:netapp:h410c_firmware:-:::::::* cpe:2.3:o:netapp:h410s_firmware:-:::::::* cpe:2.3:o:netapp:h500s_firmware:-:::::::* cpe:2.3:o:netapp:h700s_firmware:-:::::::* cpe:2.3:o:redhat:enterprise_linux_eus:9.2:::::::* cpe:2.3:o:redhat:enterprise_linux_eus:9.4:::::::* cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.0_aarch64:::::::* cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.2_aarch64:::::::* cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.4_aarch64:::::::* cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0_s390x:::::::* cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.2_s390x:::::::* cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.4_s390x:::::::* cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.0_ppc64le:::::::* cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.2_ppc64le:::::::* cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.4_ppc64le:::::::* cpe:2.3:o:redhat:enterprise_linux_server_aus:9.2:::::::* cpe:2.3:o:redhat:enterprise_linux_server_aus:9.4:::::::* cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.2_ppc64le:::::::* cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.4_ppc64le:::::::*
Vendors & Products		Netapp Netapp h300s Netapp h300s Firmware Netapp h410c Netapp h410c Firmware Netapp h410s Netapp h410s Firmware Netapp h500s Netapp h500s Firmware Netapp h700s Netapp h700s Firmware Netapp ontap Select Deploy Administration Utility Redhat codeready Linux Builder Redhat codeready Linux Builder For Arm64 Redhat codeready Linux Builder For Ibm Z Systems Redhat codeready Linux Builder For Power Little Endian Redhat enterprise Linux For Arm 64 Redhat enterprise Linux For Ibm Z Systems Redhat enterprise Linux For Ibm Z Systems Eus Redhat enterprise Linux For Power Little Endian Redhat enterprise Linux For Power Little Endian Eus Redhat enterprise Linux Server For Power Little Endian Update Services For Sap Solutions

Fri, 22 Nov 2024 12:00:00 +0000

Type	Values Removed	Values Added
References		http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html http://packetstormsecurity.com/files/176288/Glibc-Tunables-Privilege-Escalation.html http://seclists.org/fulldisclosure/2023/Oct/11 http://www.openwall.com/lists/oss-security/2023/10/03/2 http://www.openwall.com/lists/oss-security/2023/10/03/3 http://www.openwall.com/lists/oss-security/2023/10/05/1 http://www.openwall.com/lists/oss-security/2023/10/13/11 http://www.openwall.com/lists/oss-security/2023/10/14/3 http://www.openwall.com/lists/oss-security/2023/10/14/5 http://www.openwall.com/lists/oss-security/2023/10/14/6 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/ https://security.gentoo.org/glsa/202310-03 https://security.netapp.com/advisory/ntap-20231013-0006/ https://www.debian.org/security/2023/dsa-5514

Tue, 17 Sep 2024 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Canonical Canonical ubuntu Linux Debian Debian debian Linux
CPEs		cpe:2.3:o:canonical:ubuntu_linux:22.04::::lts::: cpe:2.3:o:canonical:ubuntu_linux:23.04:::::::* cpe:2.3:o:debian:debian_linux:12.0:::::::* cpe:2.3:o:debian:debian_linux:13.0:::::::*
Vendors & Products		Canonical Canonical ubuntu Linux Debian Debian debian Linux

Mon, 16 Sep 2024 14:45:00 +0000

Type	Values Removed	Values Added
References	http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html http://packetstormsecurity.com/files/176288/Glibc-Tunables-Privilege-Escalation.html http://seclists.org/fulldisclosure/2023/Oct/11 http://www.openwall.com/lists/oss-security/2023/10/03/2 http://www.openwall.com/lists/oss-security/2023/10/03/3 http://www.openwall.com/lists/oss-security/2023/10/05/1 http://www.openwall.com/lists/oss-security/2023/10/13/11 http://www.openwall.com/lists/oss-security/2023/10/14/3 http://www.openwall.com/lists/oss-security/2023/10/14/5 http://www.openwall.com/lists/oss-security/2023/10/14/6 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/ https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/ https://security.gentoo.org/glsa/202310-03 https://security.netapp.com/advisory/ntap-20231013-0006/ https://www.debian.org/security/2023/dsa-5514

Wed, 14 Aug 2024 01:00:00 +0000

Type	Values Removed	Values Added
References		https://www.cisa.gov/known-exploited-vulnerabilities-catalog

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-10-03T17:25:08.434Z

Updated: 2025-01-28T16:07:20.500Z

Reserved: 2023-09-12T13:10:32.495Z

Link: CVE-2023-4911

Vulnrichment

Updated: 2024-08-02T07:44:52.050Z

NVD

Status : Analyzed

Published: 2023-10-03T18:15:10.463

Modified: 2025-01-27T21:45:46.857

Link: CVE-2023-4911

Redhat

Severity : Important

Publid Date: 2023-10-03T17:00:00Z

Links: CVE-2023-4911 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4911", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-09-12T13:10:32.495Z", "datePublished": "2023-10-03T17:25:08.434Z", "dateUpdated": "2025-01-28T16:07:20.500Z"}, "containers": {"cna": {"title": "Glibc: buffer overflow in ld.so leading to privilege escalation", "metrics": [{"other": {"content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges."}], "affected": [{"versions": [{"status": "affected", "version": "2.34", "lessThan": "2.39", "versionType": "custom"}], "packageName": "glibc", "collectionURL": "https://sourceware.org/git/glibc.git", "defaultStatus": "unaffected"}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glibc", "defaultStatus": "affected", "versions": [{"version": "0:2.28-225.el8_8.6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:8::baseos", "cpe:/a:redhat:enterprise_linux:8::crb", "cpe:/a:redhat:enterprise_linux:8::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glibc", "defaultStatus": "affected", "versions": [{"version": "0:2.28-225.el8_8.6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:enterprise_linux:8::baseos", "cpe:/a:redhat:enterprise_linux:8::crb", "cpe:/a:redhat:enterprise_linux:8::appstream"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.6 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glibc", "defaultStatus": "affected", "versions": [{"version": "0:2.28-189.6.el8_6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:rhev_hypervisor:4.4::el8", "cpe:/a:redhat:rhel_eus:8.6::crb", "cpe:/a:redhat:rhel_eus:8.6::appstream", "cpe:/o:redhat:rhel_eus:8.6::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glibc", "defaultStatus": "affected", "versions": [{"version": "0:2.34-60.el9_2.7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::crb", "cpe:/a:redhat:enterprise_linux:9::appstream", "cpe:/o:redhat:enterprise_linux:9::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glibc", "defaultStatus": "affected", "versions": [{"version": "0:2.34-60.el9_2.7", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:enterprise_linux:9::crb", "cpe:/a:redhat:enterprise_linux:9::appstream", "cpe:/o:redhat:enterprise_linux:9::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.0 Extended Update Support", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glibc", "defaultStatus": "affected", "versions": [{"version": "0:2.34-28.el9_0.4", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/a:redhat:rhel_eus:9.0::crb", "cpe:/a:redhat:rhel_eus:9.0::appstream", "cpe:/o:redhat:rhel_eus:9.0::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glibc", "defaultStatus": "affected", "versions": [{"version": "0:2.28-189.6.el8_6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:rhev_hypervisor:4.4::el8", "cpe:/a:redhat:rhel_eus:8.6::crb", "cpe:/a:redhat:rhel_eus:8.6::appstream", "cpe:/o:redhat:rhel_eus:8.6::baseos"]}, {"vendor": "Red Hat", "product": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "redhat-release-virtualization-host", "defaultStatus": "affected", "versions": [{"version": "0:4.5.3-10.el8ev", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:rhev_hypervisor:4.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "redhat-virtualization-host", "defaultStatus": "affected", "versions": [{"version": "0:4.5.3-202312060823_8.6", "lessThan": "*", "versionType": "rpm", "status": "unaffected"}], "cpes": ["cpe:/o:redhat:rhev_hypervisor:4.4::el8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glibc", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "compat-glibc", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "glibc", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}], "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:5453", "name": "RHSA-2023:5453", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5454", "name": "RHSA-2023:5454", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5455", "name": "RHSA-2023:5455", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5476", "name": "RHSA-2023:5476", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0033", "name": "RHSA-2024:0033", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-4911", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238352", "name": "RHBZ#2238352", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt"}, {"url": "https://www.qualys.com/cve-2023-4911/"}], "datePublic": "2023-10-03T17:00:00.000Z", "problemTypes": [{"descriptions": [{"cweId": "CWE-122", "description": "Heap-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-122: Heap-based Buffer Overflow", "workarounds": [{"lang": "en", "value": "For customers who cannot update immediately and do not have Secure Boot feature enabled, the issue can be mitigated using the provided SystemTap script with the following steps. When enabled, any setuid program invoked with GLIBC_TUNABLES in the environment will be terminated immediately. To invoke the setuid program, users will then have to unset or clear the GLIBC_TUNABLES envvar, e.g. `GLIBC_TUNABLES= sudo` . \n\nNote that these mitigation steps will need to be repeated if the system is rebooted.\n\n1) Install required systemtap packages and dependencies as per - https://access.redhat.com/solutions/5441\n\n\n2) Create the following systemtap script, and name it stap_block_suid_tunables.stp:\n ~~~\nfunction has_tunable_string:long()\n{\n name = \"GLIBC_TUNABLES\"\n\n mm = @task(task_current())->mm;\n if (mm)\n {\n env_start = @mm(mm)->env_start;\n env_end = @mm(mm)->env_end;\n\n if (env_start != 0 && env_end != 0)\n while (env_end > env_start)\n {\n cur = user_string(env_start, \"\");\n env_name = tokenize(cur, \"=\");\n \n if (env_name == name && tokenize(\"\", \"\") != \"\")\n return 1;\n env_start += strlen (cur) + 1\n }\n }\n\n return 0;\n}\n\nprobe process(\"/lib*/ld*.so*\").function(\"__tunables_init\")\n{\n atsecure = 0;\n /* Skip processing if we can't read __libc_enable_secure, e.g. core dump\n handler (systemd-cgroups-agent and systemd-coredump). */\n try { atsecure = @var(\"__libc_enable_secure\"); }\n catch { printk (4, sprintf (\"CVE-2023-4911: Skipped check: %s (%d)\", execname(), pid())); }\n if (atsecure && has_tunable_string ())\n raise (9);\n}\n~~~\n\n3) Load the systemtap module into the running kernel:\n ~~~\n stap -g -F -m stap_block_suid_tunables stap_block_suid_tunables.stp\n ~~~\n\n4) Ensure the module is loaded:\n ~~~\n lsmod | grep -i stap_block_suid_tunables\nstap_block_suid_tunables 249856 0\n~~~\n\n5) Once the glibc package is updated to the version containing the fix, the systemtap generated kernel module can be removed by running:\n ~~~\n rmmod stap_block_suid_tunables\n ~~~\n\nIf Secure Boot is enabled on a system, the SystemTap module must be signed. An external compiling server can be used to sign the generated kernel module with a key enrolled into the kernel's keyring or starting with SystemTap 4.7 you can sign a module without a compile server. See further information here - https://www.redhat.com/sysadmin/secure-boot-systemtap"}], "timeline": [{"lang": "en", "time": "2023-09-04T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-10-03T17:00:00+00:00", "value": "Made public."}], "credits": [{"lang": "en", "value": "Red Hat would like to thank Qualys Research Labs for reporting this issue."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-23T01:12:42.567Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:44:52.050Z"}, "title": "CVE Program Container", "references": [{"url": "http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/176288/Glibc-Tunables-Privilege-Escalation.html", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2023/Oct/11", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/03/2", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/03/3", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/05/1", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/13/11", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/14/3", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/14/5", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/14/6", "tags": ["x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5453", "name": "RHSA-2023:5453", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5454", "name": "RHSA-2023:5454", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5455", "name": "RHSA-2023:5455", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5476", "name": "RHSA-2023:5476", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0033", "name": "RHSA-2024:0033", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-4911", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238352", "name": "RHBZ#2238352", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202310-03", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231013-0006/", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5514", "tags": ["x_transferred"]}, {"url": "https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt", "tags": ["x_transferred"]}, {"url": "https://www.qualys.com/cve-2023-4911/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2023-11-22T16:37:43.161550Z", "id": "CVE-2023-4911", "options": [{"Exploitation": "Active"}, {"Automatable": "no"}, {"Technical Impact": "Total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2023-11-21", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2023-4911"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-28T16:07:20.500Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html", "tags": ["x_transferred"]}, {"url": "http://packetstormsecurity.com/files/176288/Glibc-Tunables-Privilege-Escalation.html", "tags": ["x_transferred"]}, {"url": "http://seclists.org/fulldisclosure/2023/Oct/11", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/03/2", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/03/3", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/05/1", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/13/11", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/14/3", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/14/5", "tags": ["x_transferred"]}, {"url": "http://www.openwall.com/lists/oss-security/2023/10/14/6", "tags": ["x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5453", "name": "RHSA-2023:5453", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5454", "name": "RHSA-2023:5454", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5455", "name": "RHSA-2023:5455", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5476", "name": "RHSA-2023:5476", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0033", "name": "RHSA-2024:0033", "tags": ["vendor-advisory", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-4911", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238352", "name": "RHBZ#2238352", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/", "tags": ["x_transferred"]}, {"url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/", "tags": ["x_transferred"]}, {"url": "https://security.gentoo.org/glsa/202310-03", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231013-0006/", "tags": ["x_transferred"]}, {"url": "https://www.debian.org/security/2023/dsa-5514", "tags": ["x_transferred"]}, {"url": "https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt", "tags": ["x_transferred"]}, {"url": "https://www.qualys.com/cve-2023-4911/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:44:52.050Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-4911", "role": "CISA Coordinator", "options": [{"Exploitation": "Active"}, {"Automatable": "no"}, {"Technical Impact": "Total"}], "version": "2.0.3", "timestamp": "2023-11-22T16:37:43.161550Z"}}}, {"other": {"type": "kev", "content": {"dateAdded": "2023-11-21", "reference": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?search_api_fulltext=CVE-2023-4911"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-01-28T16:07:14.081Z"}}], "cna": {"title": "Glibc: buffer overflow in ld.so leading to privilege escalation", "credits": [{"lang": "en", "value": "Red Hat would like to thank Qualys Research Labs for reporting this issue."}], "metrics": [{"other": {"type": "Red Hat severity rating", "content": {"value": "Important", "namespace": "https://access.redhat.com/security/updates/classification/"}}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.8, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"versions": [{"status": "affected", "version": "2.34", "lessThan": "2.39", "versionType": "custom"}], "packageName": "glibc", "collectionURL": "https://sourceware.org/git/glibc.git", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8::baseos", "cpe:/a:redhat:enterprise_linux:8::crb", "cpe:/a:redhat:enterprise_linux:8::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "0:2.28-225.el8_8.6", "lessThan": "*", "versionType": "rpm"}], "packageName": "glibc", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:8::baseos", "cpe:/a:redhat:enterprise_linux:8::crb", "cpe:/a:redhat:enterprise_linux:8::appstream"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "0:2.28-225.el8_8.6", "lessThan": "*", "versionType": "rpm"}], "packageName": "glibc", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:rhev_hypervisor:4.4::el8", "cpe:/a:redhat:rhel_eus:8.6::crb", "cpe:/a:redhat:rhel_eus:8.6::appstream", "cpe:/o:redhat:rhel_eus:8.6::baseos"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8.6 Extended Update Support", "versions": [{"status": "unaffected", "version": "0:2.28-189.6.el8_6", "lessThan": "*", "versionType": "rpm"}], "packageName": "glibc", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:9::crb", "cpe:/a:redhat:enterprise_linux:9::appstream", "cpe:/o:redhat:enterprise_linux:9::baseos"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:2.34-60.el9_2.7", "lessThan": "*", "versionType": "rpm"}], "packageName": "glibc", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:enterprise_linux:9::crb", "cpe:/a:redhat:enterprise_linux:9::appstream", "cpe:/o:redhat:enterprise_linux:9::baseos"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "versions": [{"status": "unaffected", "version": "0:2.34-60.el9_2.7", "lessThan": "*", "versionType": "rpm"}], "packageName": "glibc", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/a:redhat:rhel_eus:9.0::crb", "cpe:/a:redhat:rhel_eus:9.0::appstream", "cpe:/o:redhat:rhel_eus:9.0::baseos"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9.0 Extended Update Support", "versions": [{"status": "unaffected", "version": "0:2.34-28.el9_0.4", "lessThan": "*", "versionType": "rpm"}], "packageName": "glibc", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:rhev_hypervisor:4.4::el8", "cpe:/a:redhat:rhel_eus:8.6::crb", "cpe:/a:redhat:rhel_eus:8.6::appstream", "cpe:/o:redhat:rhel_eus:8.6::baseos"], "vendor": "Red Hat", "product": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "0:2.28-189.6.el8_6", "lessThan": "*", "versionType": "rpm"}], "packageName": "glibc", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:rhev_hypervisor:4.4::el8"], "vendor": "Red Hat", "product": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "0:4.5.3-10.el8ev", "lessThan": "*", "versionType": "rpm"}], "packageName": "redhat-release-virtualization-host", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:rhev_hypervisor:4.4::el8"], "vendor": "Red Hat", "product": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "versions": [{"status": "unaffected", "version": "0:4.5.3-202312060823_8.6", "lessThan": "*", "versionType": "rpm"}], "packageName": "redhat-virtualization-host", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "affected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:6"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "packageName": "glibc", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "packageName": "compat-glibc", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}, {"cpes": ["cpe:/o:redhat:enterprise_linux:7"], "vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "packageName": "glibc", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2023-09-04T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-10-03T17:00:00+00:00", "value": "Made public."}], "datePublic": "2023-10-03T17:00:00.000Z", "references": [{"url": "https://access.redhat.com/errata/RHSA-2023:5453", "name": "RHSA-2023:5453", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5454", "name": "RHSA-2023:5454", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5455", "name": "RHSA-2023:5455", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2023:5476", "name": "RHSA-2023:5476", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/errata/RHSA-2024:0033", "name": "RHSA-2024:0033", "tags": ["vendor-advisory", "x_refsource_REDHAT"]}, {"url": "https://access.redhat.com/security/cve/CVE-2023-4911", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238352", "name": "RHBZ#2238352", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt"}, {"url": "https://www.qualys.com/cve-2023-4911/"}], "workarounds": [{"lang": "en", "value": "For customers who cannot update immediately and do not have Secure Boot feature enabled, the issue can be mitigated using the provided SystemTap script with the following steps. When enabled, any setuid program invoked with GLIBC_TUNABLES in the environment will be terminated immediately. To invoke the setuid program, users will then have to unset or clear the GLIBC_TUNABLES envvar, e.g. `GLIBC_TUNABLES= sudo` . \n\nNote that these mitigation steps will need to be repeated if the system is rebooted.\n\n1) Install required systemtap packages and dependencies as per - https://access.redhat.com/solutions/5441\n\n\n2) Create the following systemtap script, and name it stap_block_suid_tunables.stp:\n ~~~\nfunction has_tunable_string:long()\n{\n name = \"GLIBC_TUNABLES\"\n\n mm = @task(task_current())->mm;\n if (mm)\n {\n env_start = @mm(mm)->env_start;\n env_end = @mm(mm)->env_end;\n\n if (env_start != 0 && env_end != 0)\n while (env_end > env_start)\n {\n cur = user_string(env_start, \"\");\n env_name = tokenize(cur, \"=\");\n \n if (env_name == name && tokenize(\"\", \"\") != \"\")\n return 1;\n env_start += strlen (cur) + 1\n }\n }\n\n return 0;\n}\n\nprobe process(\"/lib*/ld*.so*\").function(\"__tunables_init\")\n{\n atsecure = 0;\n /* Skip processing if we can't read __libc_enable_secure, e.g. core dump\n handler (systemd-cgroups-agent and systemd-coredump). */\n try { atsecure = @var(\"__libc_enable_secure\"); }\n catch { printk (4, sprintf (\"CVE-2023-4911: Skipped check: %s (%d)\", execname(), pid())); }\n if (atsecure && has_tunable_string ())\n raise (9);\n}\n~~~\n\n3) Load the systemtap module into the running kernel:\n ~~~\n stap -g -F -m stap_block_suid_tunables stap_block_suid_tunables.stp\n ~~~\n\n4) Ensure the module is loaded:\n ~~~\n lsmod | grep -i stap_block_suid_tunables\nstap_block_suid_tunables 249856 0\n~~~\n\n5) Once the glibc package is updated to the version containing the fix, the systemtap generated kernel module can be removed by running:\n ~~~\n rmmod stap_block_suid_tunables\n ~~~\n\nIf Secure Boot is enabled on a system, the SystemTap module must be signed. An external compiling server can be used to sign the generated kernel module with a key enrolled into the kernel's keyring or starting with SystemTap 4.7 you can sign a module without a compile server. See further information here - https://www.redhat.com/sysadmin/secure-boot-systemtap"}], "descriptions": [{"lang": "en", "value": "A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-122", "description": "Heap-based Buffer Overflow"}]}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-11-23T01:12:42.567Z"}, "x_redhatCweChain": "CWE-122: Heap-based Buffer Overflow"}}, "cveMetadata": {"cveId": "CVE-2023-4911", "state": "PUBLISHED", "dateUpdated": "2025-01-28T16:07:20.500Z", "dateReserved": "2023-09-12T13:10:32.495Z", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "datePublished": "2023-10-03T17:25:08.434Z", "assignerShortName": "redhat"}, "dataVersion": "5.1"}

{"cisaActionDue": "2023-12-12", "cisaExploitAdd": "2023-11-21", "cisaRequiredAction": "Apply mitigations per vendor instructions or discontinue use of the product if mitigations are unavailable.", "cisaVulnerabilityName": "GNU C Library Buffer Overflow Vulnerability", "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gnu:glibc:*:*:*:*:*:*:*:*", "matchCriteriaId": "71609239-5262-473E-ACCE-18AE51AB184E", "versionEndExcluding": "2.39", "versionStartIncluding": "2.34", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*", "matchCriteriaId": "E30D0E6F-4AE8-4284-8716-991DFA48CC5D", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*", "matchCriteriaId": "CC559B26-5DFC-4B7A-A27C-B77DE755DFF9", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*", "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:redhat:codeready_linux_builder:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "2ABBAA9E-CCBA-480B-ABB5-454448D91262", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:codeready_linux_builder_eus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "8BE16CC2-C6B4-4B73-98A1-F28475A92F49", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:codeready_linux_builder_eus:9.2:*:*:*:*:*:*:*", "matchCriteriaId": "936B046D-ADEB-4701-8957-AC28CFA9C5C9", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:codeready_linux_builder_eus:9.4:*:*:*:*:*:*:*", "matchCriteriaId": "2C4B0BD8-527F-4728-A64B-F8F06D5EDEC5", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_arm64:9.0_aarch64:*:*:*:*:*:*:*", "matchCriteriaId": "910C9542-26FC-4635-9351-128727971830", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_arm64_eus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "FB1DF28D-0D84-4E40-8E46-BA0EFD371111", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_arm64_eus:9.2_aarch64:*:*:*:*:*:*:*", "matchCriteriaId": "09AAD850-019A-46B8-A5A1-845DE048D30A", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_arm64_eus:9.4_aarch64:*:*:*:*:*:*:*", "matchCriteriaId": "88F9EB73-1F19-4BD9-AB19-36F9F1A5156E", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems:9.0_s390x:*:*:*:*:*:*:*", "matchCriteriaId": "CA3C5EAE-267F-410F-8AFA-8F5B68A9E617", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems_eus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "3C1A0CA2-2BBD-4A7A-B467-F456867D5EC6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems_eus:9.2_s390x:*:*:*:*:*:*:*", "matchCriteriaId": "86034E5B-BCDD-4AFD-A460-38E790F608F5", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems_eus:9.4_s390x:*:*:*:*:*:*:*", "matchCriteriaId": "35232613-B8B5-4F4D-A6CD-3823C6666534", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian:9.0_ppc64le:*:*:*:*:*:*:*", "matchCriteriaId": "7B3D7389-35C1-48C4-A9EC-2564842723C4", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian_eus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "845B853C-8F99-4987-AA8E-76078CE6A977", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian_eus:9.2_ppc64le:*:*:*:*:*:*:*", "matchCriteriaId": "C2ED1251-245C-4390-8964-DDCAD54A8957", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian_eus:9.4_ppc64le:*:*:*:*:*:*:*", "matchCriteriaId": "03A1BB59-4BE6-4339-ABB7-C18B7D899FB9", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:virtualization:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "6BBD7A51-0590-4DDF-8249-5AFA8D645CB6", "vulnerable": true}, {"criteria": "cpe:2.3:a:redhat:virtualization_host:4.0:*:*:*:*:*:*:*", "matchCriteriaId": "BB28F9AF-3D06-4532-B397-96D7E4792503", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "7F6FB57C-2BC7-487C-96DD-132683AEB35D", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "6C3741B8-851F-475D-B428-523F4F722350", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:9.2:*:*:*:*:*:*:*", "matchCriteriaId": "3C74F6FA-FA6C-4648-9079-91446E45EE47", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:9.4:*:*:*:*:*:*:*", "matchCriteriaId": "B03506D7-0FCD-47B7-90F6-DDEEB5C5A733", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.0_aarch64:*:*:*:*:*:*:*", "matchCriteriaId": "2F7DAD7C-9369-4A87-A1D0-4208D3AF0CDC", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:8.6_aarch64:*:*:*:*:*:*:*", "matchCriteriaId": "37B7CE5C-BFEA-4F96-9759-D511EF189059", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.2_aarch64:*:*:*:*:*:*:*", "matchCriteriaId": "9A879F9F-F087-45D4-BD65-2990276477D2", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.4_aarch64:*:*:*:*:*:*:*", "matchCriteriaId": "01363FFA-F7A6-43FC-8D47-E67F95410095", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0_s390x:*:*:*:*:*:*:*", "matchCriteriaId": "FB056B47-1F45-4CE4-81F6-872F66C24C29", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.2_s390x:*:*:*:*:*:*:*", "matchCriteriaId": "26041661-0280-4544-AA0A-BC28FCED4699", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.4_s390x:*:*:*:*:*:*:*", "matchCriteriaId": "F843B777-5C64-4CAE-80D6-89DC2C9515B1", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus_s390x:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "B2C0ED62-9DEE-437C-AC01-0173128259DB", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_big_endian_eus:8.6_ppc64le:*:*:*:*:*:*:*", "matchCriteriaId": "A633E21A-EBAA-41C9-A009-A36BDC762464", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.0_ppc64le:*:*:*:*:*:*:*", "matchCriteriaId": "E07C1C58-0E5F-4B56-9B8D-5DE67DB00F79", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.2_ppc64le:*:*:*:*:*:*:*", "matchCriteriaId": "99952557-C766-4B9E-8BF5-DBBA194349FF", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.4_ppc64le:*:*:*:*:*:*:*", "matchCriteriaId": "FC3CBA5D-9E5D-4C46-B37E-7BB35BE8DADB", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "76C24D94-834A-4E9D-8F73-624AFA99AAA2", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:9.2:*:*:*:*:*:*:*", "matchCriteriaId": "F32CA554-F9D7-425B-8F1C-89678507F28C", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_aus:9.4:*:*:*:*:*:*:*", "matchCriteriaId": "39D345D3-108A-4551-A112-5EE51991411A", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.2_ppc64le:*:*:*:*:*:*:*", "matchCriteriaId": "CC6A25CB-907A-4D05-8460-A2488938A8BE", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.4_ppc64le:*:*:*:*:*:*:*", "matchCriteriaId": "3C30F155-DF7D-4195-92D9-A5B80407228D", "vulnerable": true}, {"criteria": "cpe:2.3:o:redhat:enterprise_linux_server_tus:8.6:*:*:*:*:*:*:*", "matchCriteriaId": "1272DF03-7674-4BD4-8E64-94004B195448", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:22.04:*:*:*:lts:*:*:*", "matchCriteriaId": "359012F1-2C63-415A-88B8-6726A87830DE", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:*:*:*:*", "matchCriteriaId": "B2E702D7-F8C0-49BF-9FFB-883017076E98", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*", "matchCriteriaId": "FA6FEEC2-9F11-4643-8827-749718254FED", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*", "matchCriteriaId": "46D69DCC-AE4D-4EA5-861C-D60951444C6C", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "234DEFE0-5CE5-4B0A-96B8-5D227CB8ED31", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*", "matchCriteriaId": "CDDF61B7-EC5C-467C-B710-B89F502CD04F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "6770B6C3-732E-4E22-BF1C-2D2FD610061C", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*", "matchCriteriaId": "9F9C8C20-42EB-4AB5-BD97-212DEB070C43", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "7FFF7106-ED78-49BA-9EC5-B889E3685D53", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*", "matchCriteriaId": "E63D8B0F-006E-4801-BF9D-1C001BBFB4F9", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "56409CEC-5A1E-4450-AA42-641E459CC2AF", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*", "matchCriteriaId": "B06F4839-D16A-4A61-9BB5-55B13F41E47F", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*", "matchCriteriaId": "D0B4AD8A-F172-4558-AEC6-FF424BA2D912", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*", "matchCriteriaId": "8497A4C9-8474-4A62-8331-3FE862ED4098", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*", "matchCriteriaId": "E7CF3019-975D-40BB-A8A4-894E62BD3797", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges."}, {"lang": "es", "value": "Se descubri\u00f3 un desbordamiento del b\u00fafer en el cargador din\u00e1mico ld.so de la librer\u00eda GNU C mientras se procesaba la variable de entorno GLIBC_TUNABLES. Este problema podr\u00eda permitir que un atacante local utilice variables de entorno GLIBC_TUNABLES manipuladas con fines malintencionados al iniciar archivos binarios con permiso SUID para ejecutar c\u00f3digo con privilegios elevados."}], "id": "CVE-2023-4911", "lastModified": "2025-01-27T21:45:46.857", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-10-03T18:15:10.463", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5453"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5454"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5455"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5476"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0033"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-4911"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238352"}, {"source": "secalert@redhat.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.qualys.com/cve-2023-4911/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/176288/Glibc-Tunables-Privilege-Escalation.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mailing List", "Third Party Advisory"], "url": "http://seclists.org/fulldisclosure/2023/Oct/11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2023/10/03/2"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2023/10/03/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2023/10/05/1"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2023/10/13/11"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2023/10/14/3"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2023/10/14/5"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "http://www.openwall.com/lists/oss-security/2023/10/14/6"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5453"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5454"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5455"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2023:5476"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/errata/RHSA-2024:0033"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-4911"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238352"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202310-03"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20231013-0006/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List"], "url": "https://www.debian.org/security/2023/dsa-5514"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.qualys.com/cve-2023-4911/"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-122"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"acknowledgement": "Red Hat would like to thank Qualys Research Labs for reporting this issue.", "affected_release": [{"advisory": "RHSA-2023:5455", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "glibc-0:2.28-225.el8_8.6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5455", "cpe": "cpe:/o:redhat:enterprise_linux:8", "package": "glibc-0:2.28-225.el8_8.6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5476", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "glibc-0:2.28-189.6.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5453", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "glibc-0:2.34-60.el9_2.7", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5453", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "glibc-0:2.34-60.el9_2.7", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5454", "cpe": "cpe:/a:redhat:rhel_eus:9.0", "package": "glibc-0:2.34-28.el9_0.4", "product_name": "Red Hat Enterprise Linux 9.0 Extended Update Support", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2023:5476", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "glibc-0:2.28-189.6.el8_6", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2023-10-05T00:00:00Z"}, {"advisory": "RHSA-2024:0033", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "redhat-release-virtualization-host-0:4.5.3-10.el8ev", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2024-01-03T00:00:00Z"}, {"advisory": "RHSA-2024:0033", "cpe": "cpe:/o:redhat:rhev_hypervisor:4.4::el8", "package": "redhat-virtualization-host-0:4.5.3-202312060823_8.6", "product_name": "Red Hat Virtualization 4 for Red Hat Enterprise Linux 8", "release_date": "2024-01-03T00:00:00Z"}], "bugzilla": {"description": "glibc: buffer overflow in ld.so leading to privilege escalation", "id": "2238352", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2238352"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.8", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-122", "details": ["A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.", "A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges."], "mitigation": {"lang": "en:us", "value": "For customers who cannot update immediately and do not have Secure Boot feature enabled, the issue can be mitigated using the provided SystemTap script with the following steps. When enabled, any setuid program invoked with GLIBC_TUNABLES in the environment will be terminated immediately. To invoke the setuid program, users will then have to unset or clear the GLIBC_TUNABLES envvar, e.g. `GLIBC_TUNABLES= sudo` . \nNote that these mitigation steps will need to be repeated if the system is rebooted.\n1) Install required systemtap packages and dependencies as per - https://access.redhat.com/solutions/5441\n2) Create the following systemtap script, and name it stap_block_suid_tunables.stp:\n~~~\nfunction has_tunable_string:long()\n{\nname = \"GLIBC_TUNABLES\"\nmm = @task(task_current())->mm;\nif (mm)\n{\nenv_start = @mm(mm)->env_start;\nenv_end = @mm(mm)->env_end;\nif (env_start != 0 && env_end != 0)\nwhile (env_end > env_start)\n{\ncur = user_string(env_start, \"\");\nenv_name = tokenize(cur, \"=\");\nif (env_name == name && tokenize(\"\", \"\") != \"\")\nreturn 1;\nenv_start += strlen (cur) + 1\n}\n}\nreturn 0;\n}\nprobe process(\"/lib*/ld*.so*\").function(\"__tunables_init\")\n{\natsecure = 0;\n/* Skip processing if we can't read __libc_enable_secure, e.g. core dump\nhandler (systemd-cgroups-agent and systemd-coredump). */\ntry { atsecure = @var(\"__libc_enable_secure\"); }\ncatch { printk (4, sprintf (\"CVE-2023-4911: Skipped check: %s (%d)\", execname(), pid())); }\nif (atsecure && has_tunable_string ())\nraise (9);\n}\n~~~\n3) Load the systemtap module into the running kernel:\n~~~\nstap -g -F -m stap_block_suid_tunables stap_block_suid_tunables.stp\n~~~\n4) Ensure the module is loaded:\n~~~\nlsmod | grep -i stap_block_suid_tunables\nstap_block_suid_tunables 249856 0\n~~~\n5) Once the glibc package is updated to the version containing the fix, the systemtap generated kernel module can be removed by running:\n~~~\nrmmod stap_block_suid_tunables\n~~~\nIf Secure Boot is enabled on a system, the SystemTap module must be signed. An external compiling server can be used to sign the generated kernel module with a key enrolled into the kernel's keyring or starting with SystemTap 4.7 you can sign a module without a compile server. See further information here - https://www.redhat.com/sysadmin/secure-boot-systemtap"}, "name": "CVE-2023-4911", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "compat-glibc", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "glibc", "product_name": "Red Hat Enterprise Linux 7"}], "public_date": "2023-10-03T17:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-4911\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-4911\nhttps://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt\nhttps://www.qualys.com/cve-2023-4911/\nhttps://www.cisa.gov/known-exploited-vulnerabilities-catalog"], "statement": "This vulnerability was introduced in glibc version 2.34. RHEL-8 ships glibc 2.28, which is not originally affected by this vulnerability. However, the commit that introduced this vulnerability was backported to RHEL-8.5, making this version and onward vulnerable. RHEL-8.4 and older are not affected by this vulnerability.", "threat_severity": "Important"}

Metrics

Attack Vector Local

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation Active

Automatable no

Technical Impact Total

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object