In the world of cybersecurity, vulnerabilities are an ever-present concern. Recently, security researchers unearthed a noteworthy vulnerability in the GNU C Library’s dynamic loader, often referred to as ld.so. This vulnerability, identified as CVE-2023-4911, poses a significant security risk due to its potential to enable local privilege escalation. In this blog post, we will explore the intricacies of this vulnerability, shedding light on its impact, exploitation, and more.
The GNU C Library’s dynamic loader, ld.so, plays a critical role in locating and loading shared libraries required by programs, preparing them to run, and executing them. This process is sensitive to security, especially when a local user runs a program with elevated privileges. Historically, issues related to the processing of environment variables like LD_PRELOAD, LD_AUDIT, and LD_LIBRARY_PATH have been a common source of vulnerabilities in the dynamic loader.
The vulnerability in question was discovered in the handling of the GLIBC_TUNABLES environment variable, introduced in April 2021 (glibc 2.34). This vulnerability is essentially a buffer overflow, triggered when parsing GLIBC_TUNABLES. It was introduced by commit 2ed18c (“Fix SXID_ERASE behavior in setuid programs (BZ #27471)”).
This vulnerability has the potential to grant an attacker full root privileges on systems running affected glibc versions. Notably, default installations of popular Linux distributions like Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13 were found to be vulnerable. Although not all distributions are confirmed to be vulnerable, researchers anticipate that others may share this susceptibility.
Proof of Concept
Researchers successfully demonstrated the vulnerability using a proof of concept. By crafting a malicious environment variable as part of the GLIBC_TUNABLES parameter, they were able to trigger a segmentation fault, leading to a potential privilege escalation.
Exploiting this vulnerability involves overwriting memory with arbitrary code to achieve code execution. The challenge is finding a suitable target for this memory overwrite. In the case of ld.so, this is complicated by the fact that the memory is allocated with mmap(), and overwriting ld.so’s own memory would lead to immediate crashes.
Researchers explored various options and eventually focused on overwriting the l_info[DT_RPATH] pointer in the soon-to-be-allocated link_map structure. This pointer controls the library search path, enabling the attacker to force ld.so to load libraries from a directory under their control. This could ultimately lead to arbitrary code execution with elevated privileges.
Security research is often a collaborative effort, and this discovery was no exception. The researchers would like to extend their gratitude to Red Hat Product Security, Siddhesh Poyarekar, the members of linux-distros@openwall, Salvatore Bonaccorso, and Solar Designer for their contributions and support throughout this investigation.
1. September 4, 2023: Advisory and exploit sent to secalert@redhat.
2. September 19, 2023: Advisory and patch sent to linux-distros@openwall.
3. October 3, 2023: Coordinated Release Date (17:00 UTC).
Finally, the CVE-2023-4911 vulnerability in the GNU C Library’s dynamic loader (ld.so) is a significant concern for Linux systems. It underscores the importance of promptly applying patches and maintaining up-to-date systems to mitigate such vulnerabilities. As always, vigilance in the realm of cybersecurity is essential to stay ahead of potential threats and vulnerabilities.
Due to RELIANOID ADC Load Balancer (both Community Edition and Enterprise Edition) are based on Debian 10, they are not affected by this vulnerability. All vulnerability fixes deployed by RELIANOID are publish under the timeline.