CVE-2023-4911

Known Exploited Public Exploit
Glibc: buffer overflow in ld.so leading to privilege escalation

Description

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

Remediation

Workaround:

  • For customers who cannot update immediately and do not have Secure Boot feature enabled, the issue can be mitigated using the provided SystemTap script with the following steps. When enabled, any setuid program invoked with GLIBC_TUNABLES in the environment will be terminated immediately. To invoke the setuid program, users will then have to unset or clear the GLIBC_TUNABLES envvar, e.g. `GLIBC_TUNABLES= sudo` . Note that these mitigation steps will need to be repeated if the system is rebooted. 1) Install required systemtap packages and dependencies as per - https://access.redhat.com/solutions/5441 2) Create the following systemtap script, and name it stap_block_suid_tunables.stp: ~~~ function has_tunable_string:long() { name = "GLIBC_TUNABLES" mm = @task(task_current())->mm; if (mm) { env_start = @mm(mm)->env_start; env_end = @mm(mm)->env_end; if (env_start != 0 && env_end != 0) while (env_end > env_start) { cur = user_string(env_start, ""); env_name = tokenize(cur, "="); if (env_name == name && tokenize("", "") != "") return 1; env_start += strlen (cur) + 1 } } return 0; } probe process("/lib*/ld*.so*").function("__tunables_init") { atsecure = 0; /* Skip processing if we can't read __libc_enable_secure, e.g. core dump handler (systemd-cgroups-agent and systemd-coredump). */ try { atsecure = @var("__libc_enable_secure"); } catch { printk (4, sprintf ("CVE-2023-4911: Skipped check: %s (%d)", execname(), pid())); } if (atsecure && has_tunable_string ()) raise (9); } ~~~ 3) Load the systemtap module into the running kernel: ~~~ stap -g -F -m stap_block_suid_tunables stap_block_suid_tunables.stp ~~~ 4) Ensure the module is loaded: ~~~ lsmod | grep -i stap_block_suid_tunables stap_block_suid_tunables 249856 0 ~~~ 5) Once the glibc package is updated to the version containing the fix, the systemtap generated kernel module can be removed by running: ~~~ rmmod stap_block_suid_tunables ~~~ If Secure Boot is enabled on a system, the SystemTap module must be signed. An external compiling server can be used to sign the generated kernel module with a key enrolled into the kernel's keyring or starting with SystemTap 4.7 you can sign a module without a compile server. See further information here - https://www.redhat.com/sysadmin/secure-boot-systemtap

Categories

7.8
CVSS
Severity: High
CVSS 3.1 •
EPSS 78.60% Top 5%
KEV Since 
Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com
Affected: Red Hat Red Hat Enterprise Linux 8
Affected: Red Hat Red Hat Enterprise Linux 8
Affected: Red Hat Red Hat Enterprise Linux 8.6 Extended Update Support
Affected: Red Hat Red Hat Enterprise Linux 9
Affected: Red Hat Red Hat Enterprise Linux 9
Affected: Red Hat Red Hat Enterprise Linux 9
Affected: Red Hat Red Hat Enterprise Linux 9
Affected: Red Hat Red Hat Enterprise Linux 9.0 Extended Update Support
Affected: Red Hat Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
Affected: Red Hat Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
Affected: Red Hat Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
Affected: Red Hat Red Hat Enterprise Linux 6
Affected: Red Hat Red Hat Enterprise Linux 7
Affected: Red Hat Red Hat Enterprise Linux 7
Published at:
Updated at:

References

Link Tags
https://access.redhat.com/errata/RHBA-2024:2413 third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2023:5453 third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2023:5454 third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2023:5455 third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2023:5476 third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2024:0033 third party advisory vendor advisory
https://access.redhat.com/security/cve/CVE-2023-4911 third party advisory vdb entry
https://bugzilla.redhat.com/show_bug.cgi?id=2238352 patch issue tracking
https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt third party advisory exploit
https://www.qualys.com/cve-2023-4911/ third party advisory
http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html exploit third party advisory vdb entry
http://packetstormsecurity.com/files/176288/Glibc-Tunables-Privilege-Escalation.html exploit third party advisory vdb entry
http://seclists.org/fulldisclosure/2023/Oct/11 exploit mailing list third party advisory
http://www.openwall.com/lists/oss-security/2023/10/03/2 exploit mailing list
http://www.openwall.com/lists/oss-security/2023/10/03/3 mailing list
http://www.openwall.com/lists/oss-security/2023/10/05/1 mailing list
http://www.openwall.com/lists/oss-security/2023/10/13/11 mailing list
http://www.openwall.com/lists/oss-security/2023/10/14/3 mailing list
http://www.openwall.com/lists/oss-security/2023/10/14/5 mailing list
http://www.openwall.com/lists/oss-security/2023/10/14/6 mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/ mailing list
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/ mailing list
https://security.gentoo.org/glsa/202310-03 third party advisory
https://security.netapp.com/advisory/ntap-20231013-0006/ third party advisory
https://www.debian.org/security/2023/dsa-5514 mailing list

Frequently Asked Questions

What is the severity of CVE-2023-4911?
CVE-2023-4911 has been scored as a high severity vulnerability.
How to fix CVE-2023-4911?
As a workaround for remediating CVE-2023-4911: For customers who cannot update immediately and do not have Secure Boot feature enabled, the issue can be mitigated using the provided SystemTap script with the following steps. When enabled, any setuid program invoked with GLIBC_TUNABLES in the environment will be terminated immediately. To invoke the setuid program, users will then have to unset or clear the GLIBC_TUNABLES envvar, e.g. `GLIBC_TUNABLES= sudo` . Note that these mitigation steps will need to be repeated if the system is rebooted. 1) Install required systemtap packages and dependencies as per - https://access.redhat.com/solutions/5441 2) Create the following systemtap script, and name it stap_block_suid_tunables.stp: ~~~ function has_tunable_string:long() { name = "GLIBC_TUNABLES" mm = @task(task_current())->mm; if (mm) { env_start = @mm(mm)->env_start; env_end = @mm(mm)->env_end; if (env_start != 0 && env_end != 0) while (env_end > env_start) { cur = user_string(env_start, ""); env_name = tokenize(cur, "="); if (env_name == name && tokenize("", "") != "") return 1; env_start += strlen (cur) + 1 } } return 0; } probe process("/lib*/ld*.so*").function("__tunables_init") { atsecure = 0; /* Skip processing if we can't read __libc_enable_secure, e.g. core dump handler (systemd-cgroups-agent and systemd-coredump). */ try { atsecure = @var("__libc_enable_secure"); } catch { printk (4, sprintf ("CVE-2023-4911: Skipped check: %s (%d)", execname(), pid())); } if (atsecure && has_tunable_string ()) raise (9); } ~~~ 3) Load the systemtap module into the running kernel: ~~~ stap -g -F -m stap_block_suid_tunables stap_block_suid_tunables.stp ~~~ 4) Ensure the module is loaded: ~~~ lsmod | grep -i stap_block_suid_tunables stap_block_suid_tunables 249856 0 ~~~ 5) Once the glibc package is updated to the version containing the fix, the systemtap generated kernel module can be removed by running: ~~~ rmmod stap_block_suid_tunables ~~~ If Secure Boot is enabled on a system, the SystemTap module must be signed. An external compiling server can be used to sign the generated kernel module with a key enrolled into the kernel's keyring or starting with SystemTap 4.7 you can sign a module without a compile server. See further information here - https://www.redhat.com/sysadmin/secure-boot-systemtap
Is CVE-2023-4911 being actively exploited in the wild?
It is confirmed that CVE-2023-4911 is actively exploited. Be extra cautious if you are using vulnerable components. According to its EPSS score, there is a ~79% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-4911?
CVE-2023-4911 affects Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8.6 Extended Update Support, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9.0 Extended Update Support, Red Hat Red Hat Virtualization 4 for Red Hat Enterprise Linux 8, Red Hat Red Hat Virtualization 4 for Red Hat Enterprise Linux 8, Red Hat Red Hat Virtualization 4 for Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 6, Red Hat Red Hat Enterprise Linux 7, Red Hat Red Hat Enterprise Linux 7.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.