Qualys said its team successfully identified and exploited the vulnerability to allow a local attacker to achieve root privileges on the default installations of Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13. Most other distributions are said to be affected, though Alpine Linux is not because it uses musl libc rather than glibc.
[…]
Red Hat has assigned the issue as CVE-2023-4911, and given it a CVSS score of 7.8 out of 10 in terms of severity.
https://www.theregister.com/2023/10/04/linux_looney_tunables_bug/
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
https://access.redhat.com/security/cve/cve-2023-4911
Personal remark:
At least this is not a remote code execution vulnerability. The attacker needs local access to your system to pull it off. Having said that, I've installed the updates this morning as soon as I read the news. Better safe than sorry.
[Edited at 2023-10-05 00:56 GMT]
Login to reply/comment 
