7.8 High
CVSS3
Attack Vector
LOCAL
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
0.014 Low
EPSS
Percentile
86.5%
A buffer overflow was discovered in the GNU C Libraryโs dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
For customers who cannot update immediately and do not have Secure Boot feature enabled, the issue can be mitigated using the provided SystemTap script with the following steps. When enabled, any setuid program invoked with GLIBC_TUNABLES in the environment will be terminated immediately. To invoke the setuid program, users will then have to unset or clear the GLIBC_TUNABLES envvar, e.g. GLIBC_TUNABLES= sudo
.
Note that these mitigation steps will need to be repeated if the system is rebooted.
Install required systemtap packages and dependencies as per - <https://access.redhat.com/solutions/5441>
Create the following systemtap script, and name it stap_block_suid_tunables.stp:
function has_tunable_string:long()
{
name = โGLIBC_TUNABLESโ
mm = @task(task_current())->mm;
if (mm)
{
env_start = @mm(mm)->env_start;
env_end = @mm(mm)->env_end;
if (env_start != 0 && env_end != 0)
while (env_end > env_start)
{
cur = user_string(env_start, "");
env_name = tokenize(cur, "=");
if (env_name == name && tokenize("", "") != "")
return 1;
env_start += strlen (cur) + 1
}
}
return 0;
}
probe process(โ/lib*/ld*.so*โ).function(โ__tunables_initโ)
{
atsecure = 0;
/* Skip processing if we canโt read __libc_enable_secure, e.g. core dump
handler (systemd-cgroups-agent and systemd-coredump). */
try { atsecure = @var(โ__libc_enable_secureโ); }
catch { printk (4, sprintf (โCVE-2023-4911: Skipped check: %s (%d)โ, execname(), pid())); }
if (atsecure && has_tunable_string ())
raise (9);
}
Load the systemtap module into the running kernel:
stap -g -F -m stap_block_suid_tunables stap_block_suid_tunables.stp
Ensure the module is loaded:
lsmod | grep -i stap_block_suid_tunables
stap_block_suid_tunables 249856 0
Once the glibc package is updated to the version containing the fix, the systemtap generated kernel module can be removed by running:
rmmod stap_block_suid_tunables
If Secure Boot is enabled on a system, the SystemTap module must be signed. An external compiling server can be used to sign the generated kernel module with a key enrolled into the kernel's keyring or starting with SystemTap 4.7 you can sign a module without a compile server. See further information here - <https://www.redhat.com/sysadmin/secure-boot-systemtap>