Looney Tunables Bug Opens Millions of Linux Systems to Root Takeover
The flaw poses a significant risk of unauthorized data access, system alterations, potential data theft, and complete takeover of vulnerable systems, especially in the IoT and embedded computing space.
Attackers can now gain root privileges on millions of
Linux systems
— by exploiting an easy-to-exploit, newly discovered buffer overflow flaw in a common library used on most major distributions of the open source OS. Dubbed Looney Tunables, the bug could mean thats all, folks for sensitive data, and could lead to even worse ramifications.
Fedora, Ubuntu, and Debian are the systems most at risk from the bug (CVE-2023-4911 CVSS 7.8), Qualys researchers
revealed
in a blog post late on Oct. 3. Its found in the GNU C Library (glibc) in the GNU system, which is found in most systems running the Linux kernel, according to the firm.
Glibc is a library that defines the system calls and other basic functionalities, such as open, malloc, printf, exit, etc., that a typical program requires. The vulnerability occurs in how the dynamic loader of glibc processes the GLIBC_TUNABLES environment variable, the researchers said, thus giving the bug its name.
IoT devices running in a
Linux environment
in particular are extremely vulnerable to an exploit of the flaw, due to their extensive use of the Linux kernel within custom operating systems, warns John Gallagher, vice president of Viakoo Labs at Viakoo. That means that embedded environments such as smart factories, connected equipment like drones and robots, and a range of consumer gear are at particular risk.
Researchers have successfully exploited the flaw — introduced to the code in April 2021 — to gain full root privileges on default installations of Fedora 37 and 38,
Ubuntu
22.04 and 23.04, and Debian 12 and 13. However, its likely that other distributions are similarly susceptible, with the exception of Alpine Linux due to its use of musl libc instead of glibc, Saeed Abbasi, product manager of the Threat Research Unit at Qualys, wrote in the post.
Exploiting the flaw — which isnt difficult to do — results in considerable risks to vulnerable Linux systems, such as unauthorized data access, system alterations, and potential data theft, he tells Dark Reading.
This tangible threat to system and data security, coupled with the possible incorporation of the vulnerability into automated malicious tools or software such as exploit kits and bots, escalates the risk of widespread exploitation and service disruptions, Abbasi says.
Researchers disclosed the flaw to Red Hat on Sept. 4, and an advisory and patch was sent to the OpenWall open source security project on Sept. 19. The patch was subsequently released on Oct. 3, with various Linux distributions — including
Red Hat
,
Ubuntu
,
Upstream
,
Debian
, and
Gentoo
all releasing their own updates.
To understand the flaw, its important to know the importance of glibcs dynamic loader, the part of the library responsible for preparing and running programs — duties that include determining and allocating shared libraries as well as linking them with the executable at runtime. In the process, the dynamic loader also resolves symbol references, such as function and variable references, ensuring that everything is set for the programs execution.
Given its role, the dynamic loader is highly security-sensitive, as its code runs with elevated privileges when a local user launches a set-user-ID or set-group-ID program, Abbasi explained in the post. Thats why if this component of the library is compromised, an attacker also has the benefit of those privileges on a system.
The GLIBC_TUNABLES environment variable allows users to modify the lbrarys behavior at runtime, eliminating the need to recompile either the application or the library. By setting GLIBC_TUNABLES, users can adjust various performance and behavior parameters, which are then applied upon application startup.
Having a buffer overflow flaw in how the dynamic loader handles the GLIBC_TUNABLES environment variable — an essential tool for developers and system administrators — poses significant ramifications in terms of system performance, reliability, and security, Abbasi says.
These potential ramifications amplify the urgency of immediate patching, even though the researchers chose not to release their exploit. They did, however, release a
technical breakdown
of the vulnerability.
Even in the absence of evident exploitation in the wild, grasping a thorough understanding of the vulnerability and preemptively preparing defenses becomes paramount, particularly given the high stakes that come into play once it is exploited, Abbasi says.
In fact, given the ease with which the buffer overflow can be transformed into a data-only attack, Qualys anticipates that other research teams could soon produce and release exploits for Looney Tunables. This means that organizations must act with utmost diligence to shield their systems and data from potential compromise through this vulnerability in glibc, he advised.
Not only will different IoT device manufacturers have different schedules for producing patches, there will be a lengthy process to ensure that all devices are remediated, says Viakoo Labs Gallagher. To effectively deal with this, organizations must have a detailed inventory of all their assets, IT, IoT, and applications.
Tags:
Looney Tunables Bug Opens Millions of Linux Systems to Root Takeover