Glibc: CVE-2023-4911 High Risk Privilege Escalation Advisory
Oct 20, 2023
•
Brittany Day
3 - 5 min read
Imagine your Linux system as a busy airport. Glibc, an integral part of most Linux systems that provide basic system functions like file I/O, network, and memory access, is the control tower that could give sneaky hackers free rein, like letting them play pilot. Recently, a severe buffer overflow vulnerability dubbed "Looney Tunables" was found in this control tower. This vulnerability may lead to full root privileges on major distributions like Fedora, Ubuntu, and Debian, highlighting its widespread impact. It's essential to update your system right away, like a safety check before your next flight, just to keep everything flying straight and level!
We also have other significant discoveries and fixes for you, including mitigations for a severe heap-based buffer overflow flaw (CVE-2023-38545) found in the Curl HTTP, HTTPS, and FTP client and client libraries, which could allow a remote attacker to execute arbitrary code on impacted systems, resulting in potential security breaches, including unauthorized access, data theft, and system compromise. A severe, remotely exploitable Type Confusion vulnerability has also been found in Chromium (CVE-2023-5346), which could result in arbitrary code execution, denial of service (DoS), and information disclosure on affected systems. These vulnerabilities are among the most severe and impactful we’ve seen in a while, making it essential to stay up-to-date on these issues to protect your system from any potential harm.
Did you find today’s newsletter helpful and informative? If so, please do us and the community a favor and share it with a fellow security geek to help them secure their systems against these dangerous bugs. We also welcome feedback on how we could improve our newsletters or our site. If you have any thoughts or suggestions, please share them with us. Do you have a Linux security-related topic you'd like to cover for our audience? We welcome contributions from enthusiastic, insightful community members who share our passion for Linux security!
Stay safe out there,
GNU C LibraryThe DiscoveryHave you updated to fix the notorious “Looney Tunables” buffer overflow vulnerability found in the GNU C Library? This severe bug exists in the glibc dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable (CVE-2023-4911). This vulnerability was introduced in April 2021 and poses a significant threat to systems with default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13. |
CurlThe DiscoveryA severe heap-based buffer overflow flaw (CVE-2023-38545) has been found in the SOCKS5 proxy handshake in the Curl HTTP, HTTPS, and FTP client and client libraries. This remotely exploitable vulnerability significantly threatens impacted systems' confidentiality, integrity, and availability. |
ChromiumThe DiscoveryDistros continue to release updates mitigating a severe, remotely exploitable Type Confusion vulnerability found in Chromium (CVE-2023-5346). Due to its significant threat to the confidentiality, integrity, and availability of impacted systems, this bug has received a National Vulnerability Database base score of 8.8 out of 10 (“High” severity). Other important security vulnerabilities have also been discovered in Chromium, including inappropriate implementation in Custom Tabs, Prompts, Input, Custom Mobile Tabs, Autofill, Intents, Picture in Picture, and Interstitials, and insufficient policy enforcement in Downloads. |
PREVIOUS
NEXT
