Malicious native attackers can receive full root entry on Linux machines by profiting from a newly disclosed safety flaw within the GNU C library (aka glibc).
Tracked as CVE-2023-6246, the heap-based buffer overflow vulnerability is rooted in glibc’s __vsyslog_internal() perform, which is utilized by syslog() and vsyslog() for system logging functions. It is stated to have been by accident launched in August 2022 with the discharge of glibc 2.37.
“This flaw permits native privilege escalation, enabling an unprivileged consumer to realize full root entry,” Saeed Abbasi, product supervisor of the Menace Analysis Unit at Qualys, stated, including it impacts main Linux distributions like Debian, Ubuntu, and Fedora.
A menace actor might exploit the flaw to acquire elevated permissions through specifically crafted inputs to purposes that make use of these logging capabilities.
“Though the vulnerability requires particular circumstances to be exploited (corresponding to an unusually lengthy argv[0] or openlog() ident argument), its affect is important as a result of widespread use of the affected library,” Abbasi famous.
The cybersecurity agency stated additional evaluation of glibc unearthed two extra flaws within the __vsyslog_internal() perform (CVE-2023-6779 and CVE-2023-6780) and a 3rd bug within the library’s qsort () perform that may result in reminiscence corruption.
The vulnerability present in qsort() has affected all glibc variations launched since 1992.
The event comes almost 4 months after Qualys detailed one other high-severity flaw in the identical library referred to as Looney Tunables (CVE-2023-4911, CVSS rating: 7.8) that would end in privilege escalation.
“These flaws spotlight the essential want for strict safety measures in software program improvement, particularly for core libraries extensively used throughout many methods and purposes,” Abbasi stated.
