See for yourself – run a scan on your code right now

While Bugs Bunny and company may be part of your favorite childhood memories, the Looney Tunables vulnerability could become one of your worst nightmares. CVE-2023-4911 remains under analysis but comes with a base Common Vulnerability Scoring System (CVSS) score of 7.8 (high). Primarily impacting Fedora, Ubuntu, and Debian, the easily exploitable buffer overflow vulnerability gives attackers a way to gain root privileges on a Linux system.

To prevent attackers from using the Looney Tunables vulnerability to become the Porky Pig of data, you should know what it is, how they can exploit it, and whether they can exploit it in the context of your code. 

What is the Looney Tunables Vulnerability?

The Looney Tunables vulnerability (CVE-2023-4911) is a buffer overflow vulnerability introduced in the GNU C Library (glibc) in April 2021 (glibc 2.34) by commit 2ed18c. When the dynamic loader (ld.so) processes the GLIBC_TUNABLES environment variable, local attackers can maliciously craft GLIBC_TUNABLES variables and execute code with elevated privileges. 

 

What are the known affected software configurations?

The National Vulnerability Database (NVD) uses the Common Platform Enumeration (CPE) to identify three specific configurations affected by the vulnerability.

 

Of note, since Alpine Linux uses musl libc, it is not at risk from attacks leveraging this vulnerability.  

GNU C Library

If you think you have used a vulnerable version of the glibc, you can use the following CPEs:

  • cpe:/a:gnu:glibc:-
  • cpe:/a:gnu:glibc:-::~~~~x64~

Fedora Project

If you think you have used a vulnerable version of the Fedora Project, you can use the following CPEs:

  • cpe:/o:fedoraproject:fedora:37
  • cpe:/o:fedoraproject:fedora:38
  • cpe:/o:fedoraproject:fedora:39

RedHat

If you think you have used a vulnerable version of RedHat, you can use the following CPEs:

  • cpe:/a:redhat:virtualization:4.0
  • cpe:/o:redhat:enterprise_linux:8.0
  • cpe:/o:redhat:enterprise_linux:8.0::~~~~arm64~
  • cpe:/o:redhat:enterprise_linux:8.0::~~-~~~
  • cpe:/o:redhat:enterprise_linux:8.0::~~advanced_virtualization~~~
  • cpe:/o:redhat:enterprise_linux:8.0::~~coreos~~~
  •  cpe:/o:redhat:enterprise_linux:9.0

Additional At-Risk Distros

According to researchers, the vulnerability exists on the default installations of the following:

  • Ubuntu: 22.04 and 23.04
  • Debian: 12 and 13

While the researchers successfully identified and exploited the vulnerability in these distributions, they note that others are likely at risk. 

Overview of an Exploit Leveraging Looney Tunables

Looney Tunables is a straightforward buffer overflow vulnerability that occurs at the beginning of the dynamic loader’s execution. Since the dynamic loader prepares and runs programs, it:

  • Determines and allocates shared libraries
  • Links shared libraries with the executable at runtime
  • Resolves symbol references, like function and variable references

The TL;DR of the technical information is that the vulnerability gives attackers a way to redirect data to a location of their choice, enabling a data-only attack. Since attackers can use the Luney Tunables vulnerability to overwrite pointers, they can break the dynamic loader’s logic. 

The _tunables_init() can process multiple GLIBC_TUNABLES environment variables, and the Linux kernel is a top-down allocator, enabling the researchers to:

  • Map an initial GLIBC_TUNABLES to memory without overflowing
  • Map a second GLIBC_TUNABLES immediately below and overflow it

Since the dynamic loader allocates memory for the link_map structure, the buffer overflow gives attackers a way to overwrite pointers in that structure. By overwriting the pointer for the “Library search path” attackers could control where it points to. This capability enables them to force the dynamic loader to trust a directory that they own and execute arbitrary code. 

At this point, the parse_tunables writes the bytes out-of-bounds, and the original GLIBC_TUNABLES environment variable reads them. This is the point where the attackers can use the buffer overflow to overwrite all pointers, except for the one that directs to their malicious library. 

QwietAI: Mitigate Looney Tunables Vulnerability Risks by Identifying Reachable Vulnerabilities

While attackers may be able to easily exploit the Luney Tunables vulnerability, you need to know whether they can use it within the context of your source code. Researchers proved that Luney Tunable as a standalone code vulnerability can lead to an attack. However, depending on how you integrate the at-risk code into your source code, attackers may not be able to exploit your application. 

Qwiet AI’s preZero platform looks for vulnerabilities and uses data flow analyses. By combining vulnerability scans with software composition analysis (SCA), Qwiet AI enables you to identify the vulnerabilities that attackers can use within the context of your unique source code. While Luney Tunables may pose a high risk because attackers can use it, they may not be able to exploit your application if their inputs can’t affect the vulnerable library or if a user-controlled path within your application never calls the library. 

About ShiftLeft

ShiftLeft empowers developers and AppSec teams to dramatically reduce risk by quickly finding and fixing the vulnerabilities most likely to reach their applications and ignoring reported vulnerabilities that pose little risk. Industry-leading accuracy allows developers to focus on security fixes that matter and improve code velocity while enabling AppSec engineers to shift security left.

A unified code security platform, ShiftLeft CORE scans for attack context across custom code, APIs, OSS, containers, internal microservices, and first-party business logic by combining results of the company’s and Intelligent Software Composition Analysis (SCA). Using its unique graph database that combines code attributes and analyzes actual attack paths based on real application architecture, ShiftLeft then provides detailed guidance on risk remediation within existing development workflows and tooling. Teams that use ShiftLeft ship more secure code, faster. Backed by SYN Ventures, Bain Capital Ventures, Blackstone, Mayfield, Thomvest Ventures, and SineWave Ventures, ShiftLeft is based in Santa Clara, California. For information, visit: www.shiftleft.io.

Share

See for yourself – run a scan on your code right now