Skip to content

OSG-SEC-2023-10-09 HIGH Severity GNU C Library Privilege Escalation

Dear OSG Security Contacts,

A HIGH risk buffer overflow vulnerability was identified in GNU C Library's dynamic loader ld.so which may lead to privilege escalation. [1] [2].

IMPACTED VERSIONS:

This affects RHEL8, RHEL9 and derivatives, but not RHEL7.

WHAT ARE THE VULNERABILITIES:

A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.

WHAT YOU SHOULD DO:

Where possible, sites running vulnerable versions should update as soon as possible. Note that updating will require a reboot of affected systems [5]. See references below.

Sites also have the option of mitigation [2], however, the mitigation suggested does not persist after a restart, and so updating to a patched version as soon as possible is recommended.

REFERENCES

Thanks to the EGI SVG for bringing this vulnerability to our attention.

[1] https://nvd.nist.gov/vuln/detail/CVE-2023-4911 [2] https://access.redhat.com/security/cve/CVE-2023-4911 [3] https://lists.centos.org/pipermail/centos-announce/ [4] https://errata.almalinux.org/ [5] https://access.redhat.com/solutions/27943

Please contact the OSG security team at [email protected] if you have any questions or concerns. OSG Security Team