Malicious native attackers can acquire full root entry on Linux machines by making the most of a newly disclosed security flaw within the GNU C library (aka glibc).
Tracked as CVE-2023-6246, the heap-based buffer overflow vulnerability is rooted in glibc’s __vsyslog_internal() perform, which is utilized by syslog() and vsyslog() for system logging functions. It is stated to have been unintentionally launched in August 2022 with the discharge of glibc 2.37.
“This flaw permits native privilege escalation, enabling an unprivileged person to achieve full root entry,” Saeed Abbasi, product supervisor of the Menace Analysis Unit at Qualys, stated, including it impacts main Linux distributions like Debian, Ubuntu, and Fedora.
A menace actor might exploit the flaw to acquire elevated permissions by way of specifically crafted inputs to purposes that make use of these logging features.
“Though the vulnerability requires particular situations to be exploited (resembling an unusually lengthy argv[0] or openlog() ident argument), its influence is important because of the widespread use of the affected library,” Abbasi famous.
The cybersecurity agency stated additional evaluation of glibc unearthed two extra flaws within the __vsyslog_internal() perform (CVE-2023-6779 and CVE-2023-6780) and a 3rd bug within the library’s qsort () perform that may result in reminiscence corruption.
The vulnerability present in qsort() has affected all glibc variations launched since 1992.
The event comes practically 4 months after Qualys detailed one other high-severity flaw in the identical library known as Looney Tunables (CVE-2023-4911, CVSS rating: 7.8) that might lead to privilege escalation.
“These flaws spotlight the essential want for strict security measures in software program growth, particularly for core libraries broadly used throughout many programs and purposes,” Abbasi stated.
