The Qualys Threat Research Unit has identified a heap-based buffer overflow vulnerability (CVE-2023-6246) in the GNU C library (glibc). This vulnerability allows unauthorized users to gain root access and was unintentionally introduced in August 2022 with the release of glibc 2.37. It originated from a commit intended to address another vulnerability (CVE-2022-39046) [1]. Crafted inputs to applications using the affected logging functions can trigger this vulnerability. The impact extends to various Linux operating system distributions, including Debian [1], Ubuntu [1] [3] [4], and Fedora [1] [3] [4], and is likely to affect other distributions as well [1].

Description

The Qualys Threat Research Unit has discovered a heap-based buffer overflow vulnerability (CVE-2023-6246) in the GNU C library (glibc). This vulnerability affects the _vsysloginternal() function and allows unauthorized users to gain root access. It was accidentally introduced in August 2022 with the release of glibc 2.37 [3] [4], as a result of a commit intended to fix another vulnerability (CVE-2022-39046) [1]. The vulnerability can be triggered by crafted inputs to applications that use the affected logging functions [1]. The researchers have tested the vulnerability on various Linux operating system distributions [1], including Debian [1], Ubuntu [1] [3] [4], and Fedora [1] [3] [4], and it is likely to impact other distributions as well [1].

Further analysis of glibc has revealed two additional flaws in the _vsysloginternal() function (CVE-2023-6779 and CVE-2023-6780) [3] [4], as well as a bug in the qsort() function that can lead to memory corruption. The vulnerability in qsort() has affected all glibc versions released since 1992 [3] [4]. These vulnerabilities can be exploited for privilege escalation or denial of service [2]. The developers of glibc have already patched the memory corruption issue in the master branch [2].

Conclusion

These discoveries underscore the critical importance of implementing stringent security measures in software development, particularly for widely used core libraries [3]. The impact of these vulnerabilities extends to various Linux operating system distributions, and it is crucial for users to apply the necessary patches and updates to mitigate the risks. Additionally, the identification of flaws in glibc dating back to 1992 highlights the need for ongoing vigilance and regular security audits to ensure the integrity and safety of software systems.

References

[1] https://securityaffairs.com/158369/breaking-news/gnu-library-c-glibc-cve-2023-6246-flaw.html
[2] https://packetstormsecurity.com/files/cve/CVE-2023-6246
[3] https://owasp.or.id/2024/01/31/new-glibc-flaw-grants-attackers-root-access-on-major-linux-distros/
[4] https://thehackernews.com/2024/01/new-glibc-flaw-grants-attackers-root.html