Malicious local attackers can acquire complete root entry on Linux machines by using edge of a freshly disclosed security flaw in the GNU C library (aka glibc).
Tracked as CVE-2023-6246, the heap-dependent buffer overflow vulnerability is rooted in glibc’s __vsyslog_inside() operate, which is applied by syslog() and vsyslog() for system logging reasons. It’s reported to have been unintentionally released in August 2022 with the launch of glibc 2.37.
“This flaw makes it possible for neighborhood privilege escalation, enabling an unprivileged consumer to gain entire root obtain,” Saeed Abbasi, product manager of the Menace Study Unit at Qualys, claimed, incorporating it impacts major Linux distributions like Debian, Ubuntu, and Fedora.
A danger actor could exploit the flaw to get elevated permissions by means of specially crafted inputs to purposes that hire these logging features.
“Although the vulnerability demands unique situations to be exploited (such as an unusually very long argv or openlog() ident argument), its impact is substantial owing to the widespread use of the influenced library,” Abbasi mentioned.
The cybersecurity company reported additional analysis of glibc unearthed two additional flaws in the __vsyslog_inside() purpose (CVE-2023-6779 and CVE-2023-6780) and a third bug in the library’s qsort () functionality that can direct to memory corruption.
The vulnerability identified in qsort() has impacted all glibc variations introduced considering that 1992.
The enhancement arrives just about four months just after Qualys detailed a further large-severity flaw in the similar library identified as Looney Tunables (CVE-2023-4911, CVSS rating: 7.8) that could final result in privilege escalation.
“These flaws spotlight the critical will need for strict security steps in computer software enhancement, especially for core libraries widely made use of across several programs and apps,” Abbasi said.
Identified this short article intriguing? Stick to us on Twitter and LinkedIn to study additional exceptional written content we post.
Some areas of this short article are sourced from: