New Linux glibc flaw lets attackers get root on major distros

​Unprivileged attackers can get root access on multiple major Linux distributions in default configurations by exploiting a newly disclosed local privilege escalation (LPE) vulnerability in the GNU C Library (glibc).

Tracked as CVE-2023-6246, this security flaw was found in glibc's __vsyslog_internal() function, called by the widely-used syslog and vsyslog functions for writing messages to the system message logger.

The bug is due to a heap-based buffer overflow weakness accidentally introduced in glibc 2.37 in August 2022 and later backported to glibc 2.36 when addressing a less severe vulnerability tracked as CVE-2022-39046.

"The buffer overflow issue poses a significant threat as it could allow local privilege escalation, enabling an unprivileged user to gain full root access through crafted inputs to applications that employ these logging functions," Qualys security researchers said.

"Although the vulnerability requires specific conditions to be exploited (such as an unusually long argv[0] or openlog() ident argument), its impact is significant due to the widespread use of the affected library."

Impacts Debian, Ubuntu, and Fedora systems

While testing their findings, Qualys confirmed that Debian 12 and 13, Ubuntu 23.04 and 23.10, and Fedora 37 to 39 were all vulnerable to CVE-2023-6246 exploits, allowing any unprivileged user to escalate privileges to full root access on default installations.

Although their tests were limited to a handful of distros, the researchers added that "other distributions are probably also exploitable."

While analyzing glibc for other potential security issues, the researchers also found three other vulnerabilities, two of them—harder to exploit—in the __vsyslog_internal() function (CVE-2023-6779 and CVE-2023-6780) and a third one (a memory corruption issue still waiting for a CVEID) in glibc's qsort () function.

"The recent discovery of these vulnerabilities is not just a technical concern but a matter of widespread security implications," said Saeed Abbasi, Product Manager at Qualys' Threat Research Unit.

"These flaws highlight the critical need for strict security measures in software development, especially for core libraries widely used across many systems and applications."

Other Linux root escalation flaws found by Qualys

Over the past few years, researchers at Qualys have found several other Linux security vulnerabilities that can let attackers gain complete control over unpatched Linux systems, even in default configurations.

Vulnerabilities they discovered include a flaw in glibc's ld.so dynamic loader (Looney Tunables), one in Polkit's pkexec component (dubbed PwnKit), another in the Kernel's filesystem layer (dubbed Sequoia), and in the Sudo Unix program (aka Baron Samedit).

Days after the Looney Tunables flaw (CVE-2023-4911) was disclosed, proof-of-concept (PoC) exploits were published online, and threat actors started exploiting it one month later to steal cloud service provider (CSP) credentials in Kinsing malware attacks.

The Kinsing gang is known for deploying cryptocurrency mining malware on compromised cloud-based systems, including Kubernetes, Docker APIs, Redis, and Jenkins servers.

CISA later ordered U.S. federal agencies to secure their Linux systems against CVE-2023-4911 attacks after adding it to its catalog of actively exploited bugs and tagging it as posing "significant risks to the federal enterprise."