Chief Scientist Emeritus Fabian Yamaguchi and foundational Code Property Graph technology recognized with IEEE Test of Time Award

While Bugs Bunny and company may be part of your favorite childhood memories, the Looney Tunables vulnerability could become one of your worst nightmares. CVE-2023-4911 remains under analysis but comes with a base Common Vulnerability Scoring System (CVSS) score of 7.8 (high). Primarily impacting Fedora, Ubuntu, and Debian, the easily exploitable buffer overflow vulnerability gives attackers a way to gain root privileges on a Linux system.

To prevent attackers from using the Looney Tunables vulnerability to become the Porky Pig of data, you should know what it is, how they can exploit it, and whether they can exploit it in the context of your code. 

What is the Looney Tunables Vulnerability?

The Looney Tunables vulnerability (CVE-2023-4911) is a buffer overflow vulnerability introduced in the GNU C Library (glibc) in April 2021 (glibc 2.34) by commit 2ed18c. When the dynamic loader (ld.so) processes the GLIBC_TUNABLES environment variable, local attackers can maliciously craft GLIBC_TUNABLES variables and execute code with elevated privileges. 

 

What are the known affected software configurations?

The National Vulnerability Database (NVD) uses the Common Platform Enumeration (CPE) to identify three specific configurations affected by the vulnerability.

 

Of note, since Alpine Linux uses musl libc, it is not at risk from attacks leveraging this vulnerability.  

GNU C Library

If you think you have used a vulnerable version of the glibc, you can use the following CPEs:

  • cpe:/a:gnu:glibc:-
  • cpe:/a:gnu:glibc:-::~~~~x64~

Fedora Project

If you think you have used a vulnerable version of the Fedora Project, you can use the following CPEs:

  • cpe:/o:fedoraproject:fedora:37
  • cpe:/o:fedoraproject:fedora:38
  • cpe:/o:fedoraproject:fedora:39

RedHat

If you think you have used a vulnerable version of RedHat, you can use the following CPEs:

  • cpe:/a:redhat:virtualization:4.0
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.0::~~~~arm64~
  • cpe:/o:redhat:enterprise_linux:8.0::~~-~~~
  • cpe:/o:redhat:enterprise_linux:8.0::~~advanced_virtualization~~~
  • cpe:/o:redhat:enterprise_linux:8.0::~~coreos~~~
  •  cpe:/o:redhat:enterprise_linux:9.0

Additional At-Risk Distros

According to researchers, the vulnerability exists on the default installations of the following:

  • Ubuntu: 22.04 and 23.04
  • Debian: 12 and 13

While the researchers successfully identified and exploited the vulnerability in these distributions, they note that others are likely at risk. 

Overview of an Exploit Leveraging Looney Tunables

Looney Tunables is a straightforward buffer overflow vulnerability that occurs at the beginning of the dynamic loader’s execution. Since the dynamic loader prepares and runs programs, it:

  • Determines and allocates shared libraries
  • Links shared libraries with the executable at runtime
  • Resolves symbol references, like function and variable references

The TL;DR of the technical information is that the vulnerability gives attackers a way to redirect data to a location of their choice, enabling a data-only attack. Since attackers can use the Luney Tunables vulnerability to overwrite pointers, they can break the dynamic loader’s logic. 

The _tunables_init() can process multiple GLIBC_TUNABLES environment variables, and the Linux kernel is a top-down allocator, enabling the researchers to:

  • Map an initial GLIBC_TUNABLES to memory without overflowing
  • Map a second GLIBC_TUNABLES immediately below and overflow it

Since the dynamic loader allocates memory for the link_map structure, the buffer overflow gives attackers a way to overwrite pointers in that structure. By overwriting the pointer for the “Library search path” attackers could control where it points to. This capability enables them to force the dynamic loader to trust a directory that they own and execute arbitrary code. 

At this point, the parse_tunables writes the bytes out-of-bounds, and the original GLIBC_TUNABLES environment variable reads them. This is the point where the attackers can use the buffer overflow to overwrite all pointers, except for the one that directs to their malicious library. 

QwietAI: Mitigate Looney Tunables Vulnerability Risks by Identifying Reachable Vulnerabilities

While attackers may be able to easily exploit the Luney Tunables vulnerability, you need to know whether they can use it within the context of your source code. Researchers proved that Luney Tunable as a standalone code vulnerability can lead to an attack. However, depending on how you integrate the at-risk code into your source code, attackers may not be able to exploit your application. 

Qwiet AI’s preZero platform looks for vulnerabilities and uses data flow analyses. By combining vulnerability scans with software composition analysis (SCA), Qwiet AI enables you to identify the vulnerabilities that attackers can use within the context of your unique source code. While Luney Tunables may pose a high risk because attackers can use it, they may not be able to exploit your application if their inputs can’t affect the vulnerable library or if a user-controlled path within your application never calls the library. 

About Qwiet AI

Qwiet AI empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, Qwiet AI scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, Qwiet AI then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use Qwiet AI ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, Qwiet AI is based in Santa Clara, California. For information, visit: https://qwiet.ai

Share

Read Next

Cybersecurity
January 16, 2025 4 min to read

Unpacking the New White House Cybersecurity Executive Ord...

by Chris Hatter

The latest executive order on cybersecurity issued today, Jan 16 2024, covers a lot of ground across multiple cybersecurity domains, from software security to post-quantum cryptography. The White House is sending a clear message to both the public and private sectors that the threats from foreign adversaries are more dire than ever. It comes at […]

READ MORE
Cybersecurity
May 29, 2024 3 min to read

GitHub Copilot & Advanced Security : The Fox Guardin...

by Team Qwiet

GitHub Copilot, the AI-powered coding assistant, has emerged as a game-changer in the software development landscape. By harnessing the power of generative AI, Copilot promises to accelerate coding tasks, boost developer productivity, and even democratize coding by making it more accessible to newcomers. However, as with any transformative technology, there are caveats. In Copilot’s case, […]

READ MORE
AI Announcements Cybersecurity
April 29, 2024 4 min to read

The Qwiet AI Code Doctor Will See You Now – Introdu...

by Stuart McClure

Qwiet AI and the ancient Greek physicians like the father of medicine Hippocrates have much in common. Hippocrates highlighted the significance of a healthy diet and lifestyle in preventing diseases and acknowledged the root cause of physical and psychological ailments as diet and lifestyle choices (Διαιτήμασί in Greek), and now Qwiet AI is delivering his […]

READ MORE

Read Next

AppSec Cybersecurity DevOps Engineering
September 7, 2023 5 min to read

Handling JWT Safely: Mitigating Common Security Risks

Introduction The world of application development is a balance between providing features and ensuring security. One tool that stands as a bridge between functionality and security is the JSON Web Token (JWT). While powerful and versatile, like all tools, it requires understanding and caution in its implementation. A Primer on JWTs JWT is a concise, […]

READ MORE
Cybersecurity
November 22, 2021 5 min to read

Getting to Know Compliance in Software Development

On March 21, the Biden administration directed US companies to "harden your cyber defenses immediately." With these new federal guidelines for application security, the White House urged software developers to deploy "modern tools that can detect known and potential vulnerabilities" in their custom and open-source software (OSS). Learn more about how ShiftLeft can help.

READ MORE
Cybersecurity
December 1, 2021 5 min to read

Keeping the wrench out of the gears: 5 tips for achieving...

More often than not, when people hear the word “compliance” they assume it will be a roadblock to speed. For DevOps teams, reduced speed and productivity undermine their goals. At the same time, experiencing more data breaches leads to new compliance mandates as legislative bodies and industry standards organizations try to set minimum security baselines. […]

READ MORE
Subscribe to newsletter
Privacy Policy Terms of Service © 2024 Qwiet. All rights reserved
Services
Company
Platform
Resources
Log In