-
Security Vulnerability
-
Resolution: Fixed
-
Critical (System)
-
None
-
None
-
Proof-of-Concept documented in: https://seclists.org/fulldisclosure/2023/Oct/11
-
Affects all Funtoo installations. The vulnerability is not confirmed to be exploitable, but it is definitely present, as the original proof of concept is confirmed to be causing a segfault on multiple machines.
The Qualys Threat Research Unit (TRU) has discovered a buffer overflow vulnerability in GNU C Library’s dynamic loader’s processing of the GLIBC_TUNABLES environment variable.
The official NIST CVE:
The official blog write-up by Qualsys:
Official upstream Glibc patch (which works against the unreleased Glibc 2.39 source code only);
After digging through the NIST CVE's it was challenging to pin point exactly which versions of Glibc are affected as they are not clearly stated. As the Qualsys team noted in their write up:
This vulnerability was introduced in April 2021 (glibc 2.34) by commit 2ed18c ("Fix SXID_ERASE behavior in setuid programs (BZ #27471)").
Last-minute note: although glibc 2.34 is vulnerable to this buffer
overflow, its tunables_strdup() uses __sbrk(), not __minimal_malloc()
(which was introduced in glibc 2.35 by commit b05fae, "elf: Use the
minimal malloc on tunables_strdup"); we have not yet investigated
whether glibc 2.34 is exploitable or not.
But digging into Debian Security Advisories https://security-tracker.debian.org/tracker/CVE-2023-4911 and https://security-tracker.debian.org/tracker/DSA-5514-1 respectively, they patched this in Glibc 2.31!
I found that patch source code here: https://salsa.debian.org/glibc-team/glibc/-/commit/a6ef77d00ad24e810d1e700265541d0b64666a08 but sadly and as expected it does not apply cleanly to Funtoo's glibc-2.33 distfile source:
patch -p1 --dry-run < looney_tunables_2.31_debian_bullseye.patch checking file elf/dl-tunables.c Hunk #1 FAILED at 187. Hunk #2 FAILED at 251. 2 out of 2 hunks FAILED
I did analyze Funtoo's glibc-2.33 distfile sources and isolated the vulnerable code to lines 216 to 307 in the parse_tunables function in elf/dl-tunables.c
I personally did not confirm the proof-of-concept by Qualsys but A_Curious_Cat and calrama in the #security Discord channel did. See quotes below:
calrama — 10/04/2023 1:23 AM FWIW: The proof-of-concept segmentation fault also gets triggered on my glibc 2.33 Funtoo next system. I have not the time to investigate further atm, unfortunately. A_Curious_Cat — Today at 1:33 PM I will note, however, that I just tried the proof of concept on my system running glibc-2.33-r2 (modified to use /bin/su instead of /usr/bin/su), and it worked.
In conclusion we still need tertiary confirmation and then someone who can write C to craft a custom patch to the parse_tunables function in elf/dl-tunables.c Glibc source code as I have not found any other distros patching Glibc 2.33.
The only other option is to upgrade Funtoo next to an upstream patchable version of Glibc (2.37 or other versions distros are patching), which is a very likely a far more complex, burdensome, and time consuming toolchain task with risk of breaking even more things. I did confirm from the upstream Glibc NEWS file that the unreleased Glibc 2.39 has CVE-2023-4911 noted as fixed under the "Security related changes" section.
The only glimmer of hope is that this exploit is considered a local privilege escalation that grants full root privileges when running an exploitable version of Glibc, meaning you need to get a shell session as a user somehow on the vulnerable system (AKA local access). So any Funtoo Linux system exposed on the internet are at a much higher risk per say than someone's system protected in the perimeter of a local area network. Nevertheless it is a seriously dangerous CVE.
