Malicious local attackers can gain full root access on Linux machines by exploiting a recently disclosed security flaw in the GNU C library (also known as glibc).
Detected as CVE-2023-6246 (CVSS score: 7.8), the heap-based buffer overflow vulnerability is rooted in glibc’s __vsyslog_internal() function, which is used by syslog() and vsyslog() for logging purposes of the system. It is said to have been accidentally introduced in August 2022 with the release of glibc 2.37.
“This flaw allows for local privilege escalation, allowing an unprivileged user to gain full root access,” said Saeed Abbasi, product manager of Qualys’ Threat Research Unit, adding that it impacts major Linux distributions such as Debian, Ubuntu and Fedora.
A threat actor could exploit the flaw to gain elevated permissions via specially crafted input to applications that use these logging functions.
“Although the vulnerability requires specific conditions to be exploited (such as an argv[0] or openlog() ident argument), its impact is significant due to the widespread use of the affected library,” Abbasi noted.
The cybersecurity firm said that further analysis of glibc uncovered two more flaws in the __vsyslog_internal() function (CVE-2023-6779 and CVE-2023-6780) and a third bug in the glibc qsort() function. library which can lead to memory corruption.
The vulnerability found in qsort() has affected all versions of glibc released since 1992.
The development comes nearly four months after Qualys detailed another high-severity flaw in the same library called Looney Tunables (CVE-2023-4911, CVSS score: 7.8) that could result in privilege escalation.
“These flaws highlight the critical need for rigorous security measures in software development, especially for core libraries that are widely used in many systems and applications,” Abbasi said.