A local privilege escalation flaw within GNU C (glibc) has been revealed, raising the possibility of cyber attacks on endpoints with the library installed – quite a large pool, because the library enables critical kernel functions for several major kernel functions Linux distributions.
Per BleepingComputerthe error, revealed as CVE-2023-6246was found in glibc’s __vsyslog_internal() function, called by the syslog and vyslog functions for logging messages to the system.
The flaw allows unauthorized users to gain root access (full read, write, and execute privileges) over a distribution instance via a buffer overflow, which is, to use the correct computing term, terrifying.
The technical stuff
In the exposé published on January 30, 2024, researchers from security firm Qualys wrote that even modern Fedora installations were exploitable. That’s worrying, but disclosure should speed up a resolution.
Making matters worse is the fact that, according to the disclosure, this vulnerability was once again backported to 2.36 via another code commit that fixed another bug in __vsyslog_internal(), which stemmed from an uninitialized memory read, tracked as CVE-2022-39046.
Buffer overflow, or writing more data to part of a computer program than it has allocated, allowing arbitrary, potentially nefarious code to be executed, has always been a serious problem for the decades-old glibc library, to the point where Qualys discovered that a very similar bug was in the code has happened beforein 1997.
The usual solution is to add functions to the code that check memory limits so that if an allocation to a buffer would cause an overflow, it is rejected.
The implications
Even if you’re not a programmer, this news would alarm anyone who is given to the hype and now runs Debian (versions 12 to 13) or a Debian-based Linux distribution, including Raspberry Pi operating systemas well as other major Linux variants such as Fedora (37 to 39) and Ubuntu (23.04 and 23.10) and their offshoots, including the well-established and popular Linux Mint.
Qualys also pointed out that “other distributions are likely to be exploited as well,” so even though we’ve mentioned some of the popular distributions affected, you may want to do further research.
The only saving grace of all this is that Qualys doesn’t believe the exploit can be remotely triggered, writing in the disclosure that “to our knowledge, this vulnerability cannot be remotely triggered in any likely scenario (because there is an argv( 0), or an openlog() ident argument, longer than 1024 bytes to activate)”.