A newly uncovered vulnerability in the GNU C library (glibc) puts major Linux distributions at risk, potentially allowing local attackers to gain root access on affected systems.
Dubbed CVE-2023-6246 and carrying a CVSS score of 7.8, this heap-based buffer overflow flaw resides in the __vsyslog_internal() function within glibc, which is utilized for system logging by syslog() and vsyslog(). The vulnerability, introduced accidentally in August 2022 with glibc version 2.37, poses a significant threat to Linux distributions like Debian, Ubuntu, and Fedora, according to Saeed Abbasi, product manager of Qualys’ Threat Research Unit.
Exploitation of the vulnerability could enable unprivileged users to escalate their privileges and gain full root access by manipulating inputs to applications employing the affected logging functions. Although specific conditions must be met for exploitation, such as an unusually long argv[0] or openlog() ident argument, the widespread adoption of the vulnerable library amplifies the potential impact.
Further examination by Qualys uncovered two additional flaws (CVE-2023-6779 and CVE-2023-6780) within the __vsyslog_internal() function and a memory corruption bug in glibc’s qsort() function. Notably, the vulnerability in qsort() affects all glibc versions released since 1992.
This revelation follows Qualys’ disclosure of another high-severity flaw in glibc, known as Looney Tunables (CVE-2023-4911), emphasizing the critical importance of robust security practices in software development, particularly for core libraries utilized across numerous systems and applications.
