A newly discovered high-severity Linux vulnerability that has been present on many Linux distributions for at least two years could allow threat actors to run malicious code with elevated privileges.

Discovered by researchers at the Qualys Threat Research Unit, the vulnerability has been dubbed “Looney Tunables” in reference to the GLIBC_TUNABLES environment variable involved in the vulnerability.

The GLIBC_TUNABLES environment variable, designed to allow users to alter the library’s behavior at runtime without recompilation, can be adjusted and allows users to modify various performance and behavior parameters of applications linked with the GNU C Library. Glibc is a fundamental part of most systems running Linux. It provides system calls and features such as memory allocation and input/output processing that are crucial for the operation of many programs.

However, the misuse or exploitation of this mechanism severely affects system performance, reliability and security, which is where the Looney Tunables vulnerability comes in. The successful use of the exploit can lead to full root privileges and, though the exploit code hasn’t been released, the researchers note that the ease with which the buffer overflow can morph into a data-only attack suggests that others may soon release exploits.

So far, the Qualys researchers have demonstrated the vulnerability on default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04 and Debian 12 and 13 and note that other distributions are likely susceptible. But a Linux distro called Alpine Linux is immune to the vulnerability because it does not use glibc.

“The Looney Tunables vulnerability (CVE-2023-4911) in the GNU C Library (glibc) notably jeopardizes system integrity and confidentiality across potentially MILLIONS of Linux systems, especially Fedora, Ubuntu and Debian,” Saeed Abbasi, manager of vulnerability and threat research at Qualys, told SiliconANGLE.

“Exploiting this easily exploitable buffer overflow allows attackers to gain critical root privileges, resulting in substantial risks such as unauthorized data access, alterations and potential data theft,” Abbasi added. “This tangible threat to system and data security, coupled with the possible incorporation of the vulnerability into automated malicious tools or software such as exploit kits and bots, escalates the risk of widespread exploitation and service disruptions.”

John Gallagher, vice president of Viakoo Labs at enterprise internet of things security platform provider Viakoo Inc., said that the “most vulnerable devices to this glibc vulnerability are IoT devices, due to their extensive use of the Linux kernel within custom operating systems.”

Gallagher noted that not only will different IoT device manufacturers have different schedules for producing patches, but there will be a lengthy process to ensure that all devices are remediated.

“To effectively deal with this, organizations must have a detailed inventory of all their assets, IT, IoT and applications,” Gallagher explains. “This is where knowing all the devices is not sufficient. Organizations must also have detailed knowledge of what applications are tied to these devices and any application-to-device dependencies that might impact remediating through patching.”

Image: Bing Image Creator