[German]The Qualys Threat Research Unit (TRU) has recently uncovered four significant vulnerabilities in the GNU C Library (glibc). This library is used in countless Linux applications in common Linux distributions. The vulnerabilities allow attackers to gain root privileges on Linux systems.
The GNU C Library, or glibc, is an essential component of virtually every Linux-based system and serves as the central interface between applications and the Linux kernel. Vulnerabilities in this library have an impact on the security of Linux distributions.
Vulnerability in GNU C Library (glibc)
I became aware of the issue documented by Qualsys in the post Qualys TRU Discovers Important Vulnerabilities in GNU C Library's syslog() via the following tweet.
There are a total of four vulnerabilities CVE-2023-6246, CVE-2023-6246, CVE-2023-6779 and CVE-2023-6780. CVE-2023-6246 is a heap-based buffer overflow in the __vsyslog_internal() function.
- CVE-2023-6779 (glibc): This vulnerability involves a heap-based buffer overflow in the __vsyslog_internal() function.
- CVE-2023-6780 (glibc): This vulnerability involves an integer overflow issue in the __vsyslog_internal() function.
The vulnerability (CVE-2023-6246) in the __vsyslog_internal() function of the GNU C Library affects syslog() and vsyslog(). This heap-based buffer overflow vulnerability was inadvertently introduced in glibc 2.37 (August 2022) and subsequently backported to glibc 2.36, while another, less severe vulnerability (CVE-2022-39046) has been fixed.
According to Qualsys, the vulnerabilities in the glibc functions syslog and qsort illustrate that even the most basic and trusted components are not immune to errors. The impact of these vulnerabilities goes far beyond individual systems, affecting many applications and potentially millions of users worldwide.
Major Linux distributions such as Debian (versions 12 and 13), Ubuntu (23.04 and 23.10) and Fedora (37 to 39) have been shown to be vulnerable. This flaw allows a local privilege escalation that allows an unprivileged user to gain full root access, as demonstrated in Fedora 38. The vulnerabilities were discovered and reported in December 2023 and patched in January 2024, so Qualsys has now disclosed the issue.