Security
Headlines
HeadlinesLatestCVEs

Headline

Critical Flaws Found in GNU C Library, Major Linux Distros at Risk

By Deeba Ahmed Patch Now or Pay Later: Qsort Flaw Leaves Millions of Linux Systems Exposed. This is a post from HackRead.com Read the original post: Critical Flaws Found in GNU C Library, Major Linux Distros at Risk

HackRead
#vulnerability#ubuntu#linux#debian#rce#buffer_overflow#wifi

Millions of Linux systems are at risk due to four critical vulnerabilities found in the GNU C Library (glibc), a fundamental component of most Linux distributions.

The Qualys Threat Research Unit (TRU) has discovered four significant vulnerabilities in the GNU C Library, a crucial component of Linux-based systems. Researchers have discovered multiple vulnerabilities in the library’s syslog and qsort functions, raising significant security concerns.

The first vulnerability, tracked as CVE-2023-6246, is a heap-based buffer overflow law. It is discovered in the GNU C Library’s __vsyslog_internal() function and affects syslog() and vsyslog().

The vulnerability, originating in glibc 2.37 introduced in August 2022, was subsequently backported to glibc 2.36, leading to its tracing. Most major Linux distributions, including Debian, Ubuntu, and Fedora, are vulnerable to this flaw, which allows local privilege escalation and lets unprivileged users gain full root access.

The same function affected by CVE-2023-6246 has two more, but minor impact vulnerabilities: CVE-2023-6779 (glibc) and CVE-2023-6780 (glibc). These vulnerabilities involve off-by-one heap-based buffer overflows and integer overflow issues.

Once triggered, these flaws appeared far more challenging than the first vulnerability (CVE-2023-6246). Further probing revealed that their effective exploitation is even more complex.

The last one is a memory corruption issue discovered in the GNU C Library’s qsort function, occurring due to missing bounds check. This vulnerability can be exploited when qsort() is used with a nontransitive comparison function and when an attacker manages to control a large number of elements, leading to malloc() failure.

The flaws affect glibc’s handling of input formats within syslog() and could trigger buffer overflows and memory corruption, allowing attackers to inject malicious code into vulnerable systems. Exploitation of these vulnerabilities may allow attackers to gain remote code execution (RCE) on affected systems, potentially leading to data theft and system compromise.

The syslog vulnerability allows root access, affecting major Linux distributions, while the qsort vulnerability leads to memory corruption. What is more concerning is that the vulnerabilities affect all glibc versions from September 1992 (glibc 1.04) to the current release (glibc 2.38).

TRU contacted the glibc security team regarding the flaws on 12 December 2023, but the team decided not to treat memory corruption in qsort() as a vulnerability. On 16 January 2024, TRU backported commit b9390ba to all stable versions of glibc, and the coordinated release date was set for 30 January 2023.

The discovery highlights the painful fact that even the most trusted components can have flaws. These issues usually have far-reaching implications, potentially impacting millions of users globally and making a large number of applications vulnerable and exploitable, as noted by TRU’s Product Manager, Saeed Abbasi in the company’s blog post:

“The recent discovery of these vulnerabilities is not just a technical concern but a matter of widespread security implications.”

Users are advised to update their glibc versions immediately to mitigate risks, while system administrators and developers should review their applications/libraries to ensure their systems are safe.

  1. Mélofée: The Latest Malware Targeting Linux Servers
  2. WiFi Flaws Allow Network Traffic Interception on Linux
  3. Bluetooth Vulnerability Enables Keystroke Injection Linux
  4. Linux Vulnerability Exposes Millions of Systems to Attack
  5. Free Download Manager Site Pushed Linux Password Stealer

Related news

February 2024: Vulremi, Vuldetta, PT VM Course relaunch, PT TrendVulns digests, Ivanti, Fortinet, MSPT, Linux PW

Hello everyone! In this episode, I will talk about the February updates of my open source projects, also about projects at my main job at Positive Technologies and interesting vulnerabilities. Alternative video link (for Russia): https://vk.com/video-149273431_456239140 Let’s start with my open source projects. Vulremi A simple vulnerability remediation utility, Vulremi, now has a logo and […]

Gentoo Linux Security Advisory 202402-01

Gentoo Linux Security Advisory 202402-1 - Multiple vulnerabilities in glibc could result in Local Privilege Escalation. Versions greater than or equal to 2.38-r10 are affected.

Ubuntu Security Notice USN-6620-1

Ubuntu Security Notice 6620-1 - It was discovered that the GNU C Library incorrectly handled the syslog function call. A local attacker could use this issue to execute arbitrary code and possibly escalate privileges.

glibc syslog() Heap-Based Buffer Overflow

Qualys discovered a heap-based buffer overflow in the GNU C Library's __vsyslog_internal() function, which is called by both syslog() and vsyslog(). This vulnerability was introduced in glibc 2.37 (in August 2022).

glibc qsort() Out-Of-Bounds Read / Write

Qualys discovered a memory corruption in the glibc's qsort() function, due to a missing bounds check. To be vulnerable, a program must call qsort() with a nontransitive comparison function (a function cmp(int a, int b) that returns (a - b), for example) and with a large number of attacker-controlled elements (to cause a malloc() failure inside qsort()). They have not tried to find such a vulnerable program in the real world. All glibc versions from at least September 1992 (glibc 1.04) to the current release (glibc 2.38) are affected, but the glibc's developers have independently discovered and patched this memory corruption in the master branch (commit b9390ba, "stdlib: Fix array bounds protection in insertion sort phase of qsort") during a recent refactoring of qsort().

Debian Security Advisory 5611-1

Debian Linux Security Advisory 5611-1 - The Qualys Research Labs discovered several vulnerabilities in the GNU C Library's __vsyslog_internal() function (called by syslog() and vsyslog()). A heap-based buffer overflow (CVE-2023-6246), an off-by-one heap overflow (CVE-2023-6779) and an integer overflow (CVE-2023-6780) can be exploited for privilege escalation or denial of service.

New Glibc Flaw Grants Attackers Root Access on Major Linux Distros

Malicious local attackers can obtain full root access on Linux machines by taking advantage of a newly disclosed security flaw in the GNU C library (aka glibc). Tracked as CVE-2023-6246, the heap-based buffer overflow vulnerability is rooted in glibc's __vsyslog_internal() function, which is used by syslog() and vsyslog() for system logging purposes. It's said to have been accidentally

New Glibc Flaw Grants Attackers Root Access on Major Linux Distros

Malicious local attackers can obtain full root access on Linux machines by taking advantage of a newly disclosed security flaw in the GNU C library (aka glibc). Tracked as CVE-2023-6246, the heap-based buffer overflow vulnerability is rooted in glibc's __vsyslog_internal() function, which is used by syslog() and vsyslog() for system logging purposes. It's said to have been accidentally

New Glibc Flaw Grants Attackers Root Access on Major Linux Distros

Malicious local attackers can obtain full root access on Linux machines by taking advantage of a newly disclosed security flaw in the GNU C library (aka glibc). Tracked as CVE-2023-6246, the heap-based buffer overflow vulnerability is rooted in glibc's __vsyslog_internal() function, which is used by syslog() and vsyslog() for system logging purposes. It's said to have been accidentally

HackRead: Latest News

Neuro Nostalgia Hackathon 2024: A Retro Journey with Modern Twists