Millions of Linux systems are at risk due to four critical vulnerabilities found in the GNU C Library (glibc), a fundamental component of most Linux distributions.
The Qualys Threat Research Unit (TRU) has discovered four significant vulnerabilities in the GNU C Library, a crucial component of Linux-based systems. Researchers have discovered multiple vulnerabilities in the library’s syslog and qsort functions, raising significant security concerns.
The first vulnerability, tracked as CVE-2023-6246, is a heap-based buffer overflow law. It is discovered in the GNU C Library’s __vsyslog_internal() function and affects syslog() and vsyslog().
The vulnerability, originating in glibc 2.37 introduced in August 2022, was subsequently backported to glibc 2.36, leading to its tracing. Most major Linux distributions, including Debian, Ubuntu, and Fedora, are vulnerable to this flaw, which allows local privilege escalation and lets unprivileged users gain full root access.
The same function affected by CVE-2023-6246 has two more, but minor impact vulnerabilities: CVE-2023-6779 (glibc) and CVE-2023-6780 (glibc). These vulnerabilities involve off-by-one heap-based buffer overflows and integer overflow issues.
Once triggered, these flaws appeared far more challenging than the first vulnerability (CVE-2023-6246). Further probing revealed that their effective exploitation is even more complex.
The last one is a memory corruption issue discovered in the GNU C Library’s qsort function, occurring due to missing bounds check. This vulnerability can be exploited when qsort() is used with a nontransitive comparison function and when an attacker manages to control a large number of elements, leading to malloc() failure.
The flaws affect glibc’s handling of input formats within syslog() and could trigger buffer overflows and memory corruption, allowing attackers to inject malicious code into vulnerable systems. Exploitation of these vulnerabilities may allow attackers to gain remote code execution (RCE) on affected systems, potentially leading to data theft and system compromise.
The syslog vulnerability allows root access, affecting major Linux distributions, while the qsort vulnerability leads to memory corruption. What is more concerning is that the vulnerabilities affect all glibc versions from September 1992 (glibc 1.04) to the current release (glibc 2.38).
TRU contacted the glibc security team regarding the flaws on 12 December 2023, but the team decided not to treat memory corruption in qsort() as a vulnerability. On 16 January 2024, TRU backported commit b9390ba to all stable versions of glibc, and the coordinated release date was set for 30 January 2023.
The discovery highlights the painful fact that even the most trusted components can have flaws. These issues usually have far-reaching implications, potentially impacting millions of users globally and making a large number of applications vulnerable and exploitable, as noted by TRU’s Product Manager, Saeed Abbasi in the company’s blog post:
“The recent discovery of these vulnerabilities is not just a technical concern but a matter of widespread security implications.”
Users are advised to update their glibc versions immediately to mitigate risks, while system administrators and developers should review their applications/libraries to ensure their systems are safe.