While Bugs Bunny and company may be part of your favorite childhood memories, the Looney Tunables vulnerability could become one of your worst nightmares. CVE-2023-4911 remains under analysis but comes with a base Common Vulnerability Scoring System (CVSS) score of 7.8 (high). Primarily impacting Fedora, Ubuntu, and Debian, the easily exploitable buffer overflow vulnerability gives attackers a way to gain root privileges on a Linux system.
To prevent attackers from using the Looney Tunables vulnerability to become the Porky Pig of data, you should know what it is, how they can exploit it, and whether they can exploit it in the context of your code.
What is the Looney Tunables Vulnerability?
The Looney Tunables vulnerability (CVE-2023-4911) is a buffer overflow vulnerability introduced in the GNU C Library (glibc) in April 2021 (glibc 2.34) by commit 2ed18c. When the dynamic loader (ld.so) processes the GLIBC_TUNABLES environment variable, local attackers can maliciously craft GLIBC_TUNABLES variables and execute code with elevated privileges.
What are the known affected software configurations?
The National Vulnerability Database (NVD) uses the Common Platform Enumeration (CPE) to identify three specific configurations affected by the vulnerability.
Of note, since Alpine Linux uses musl libc, it is not at risk from attacks leveraging this vulnerability.
GNU C Library
If you think you have used a vulnerable version of the glibc, you can use the following CPEs:
If you think you have used a vulnerable version of the Fedora Project, you can use the following CPEs:
If you think you have used a vulnerable version of RedHat, you can use the following CPEs:
Additional At-Risk Distros
According to researchers, the vulnerability exists on the default installations of the following:
- Ubuntu: 22.04 and 23.04
- Debian: 12 and 13
While the researchers successfully identified and exploited the vulnerability in these distributions, they note that others are likely at risk.
Overview of an Exploit Leveraging Looney Tunables
Looney Tunables is a straightforward buffer overflow vulnerability that occurs at the beginning of the dynamic loader’s execution. Since the dynamic loader prepares and runs programs, it:
- Determines and allocates shared libraries
- Links shared libraries with the executable at runtime
- Resolves symbol references, like function and variable references
The TL;DR of the technical information is that the vulnerability gives attackers a way to redirect data to a location of their choice, enabling a data-only attack. Since attackers can use the Luney Tunables vulnerability to overwrite pointers, they can break the dynamic loader’s logic.
The _tunables_init() can process multiple GLIBC_TUNABLES environment variables, and the Linux kernel is a top-down allocator, enabling the researchers to:
- Map an initial GLIBC_TUNABLES to memory without overflowing
- Map a second GLIBC_TUNABLES immediately below and overflow it
Since the dynamic loader allocates memory for the link_map structure, the buffer overflow gives attackers a way to overwrite pointers in that structure. By overwriting the pointer for the “Library search path” attackers could control where it points to. This capability enables them to force the dynamic loader to trust a directory that they own and execute arbitrary code.
At this point, the parse_tunables writes the bytes out-of-bounds, and the original GLIBC_TUNABLES environment variable reads them. This is the point where the attackers can use the buffer overflow to overwrite all pointers, except for the one that directs to their malicious library.
QwietAI: Mitigate Looney Tunables Vulnerability Risks by Identifying Reachable Vulnerabilities
While attackers may be able to easily exploit the Luney Tunables vulnerability, you need to know whether they can use it within the context of your source code. Researchers proved that Luney Tunable as a standalone code vulnerability can lead to an attack. However, depending on how you integrate the at-risk code into your source code, attackers may not be able to exploit your application.
Qwiet AI’s preZero platform looks for vulnerabilities and uses data flow analyses. By combining vulnerability scans with software composition analysis (SCA), Qwiet AI enables you to identify the vulnerabilities that attackers can use within the context of your unique source code. While Luney Tunables may pose a high risk because attackers can use it, they may not be able to exploit your application if their inputs can’t affect the vulnerable library or if a user-controlled path within your application never calls the library.