CVE-2023-4911

2023-10-0317:24:53

redhat.com

access.redhat.com

146

buffer overflow

gnu c library

dynamic loader

glibc_tunables

suid permission

mitigation

systemtap

secure boot

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

0.014 Low

EPSS

Percentile

86.5%

JSON

A buffer overflow was discovered in the GNU C Library’s dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

Mitigation

For customers who cannot update immediately and do not have Secure Boot feature enabled, the issue can be mitigated using the provided SystemTap script with the following steps. When enabled, any setuid program invoked with GLIBC_TUNABLES in the environment will be terminated immediately. To invoke the setuid program, users will then have to unset or clear the GLIBC_TUNABLES envvar, e.g. GLIBC_TUNABLES= sudo .

Note that these mitigation steps will need to be repeated if the system is rebooted.

Install required systemtap packages and dependencies as per - <https://access.redhat.com/solutions/5441>
Create the following systemtap script, and name it stap_block_suid_tunables.stp:

function has_tunable_string:long()
{
name = “GLIBC_TUNABLES”

mm = @task(task_current())->mm;
if (mm)
{
env_start = @mm(mm)->env_start;
env_end = @mm(mm)->env_end;
```
   if (env_start != 0 && env_end != 0)  
     while (env_end &gt; env_start)  
       {  
         cur = user_string(env_start, "");  
         env_name = tokenize(cur, "=");  
     
         if (env_name == name && tokenize("", "") != "")  
           return 1;  
         env_start += strlen (cur) + 1  
       }  
 }  
```
return 0;
}

probe process(“/lib*/ld*.so*”).function(“__tunables_init”)
{
atsecure = 0;
/* Skip processing if we can’t read __libc_enable_secure, e.g. core dump
handler (systemd-cgroups-agent and systemd-coredump). */
try { atsecure = @var(“__libc_enable_secure”); }
catch { printk (4, sprintf (“CVE-2023-4911: Skipped check: %s (%d)”, execname(), pid())); }
if (atsecure && has_tunable_string ())
raise (9);
}

Load the systemtap module into the running kernel:

 stap -g -F -m stap_block_suid_tunables stap_block_suid_tunables.stp

Ensure the module is loaded:
```
  lsmod | grep -i stap_block_suid_tunables  
```
stap_block_suid_tunables 249856 0
Once the glibc package is updated to the version containing the fix, the systemtap generated kernel module can be removed by running:
```
 rmmod stap_block_suid_tunables  
```

If Secure Boot is enabled on a system, the SystemTap module must be signed. An external compiling server can be used to sign the generated kernel module with a key enrolled into the kernel's keyring or starting with SystemTap 4.7 you can sign a module without a compile server. See further information here - <https://www.redhat.com/sysadmin/secure-boot-systemtap>