Looney Tunables: New Linux Flaw Enables Privilege Escalation on Major Distributions
Oct 04, 2023
Endpoint Security / Vulnerability
A new Linux security vulnerability dubbed Looney Tunables has been discovered in the GNU C library's ld.so dynamic loader that, if successfully exploited, could lead to a local privilege escalation and allow a threat actor to gain root privileges. Tracked as CVE-2023-4911 (CVSS score: 7.8), the issue is a buffer overflow that resides in the dynamic loader's processing of the GLIBC_TUNABLES environment variable . Cybersecurity firm Qualys, which disclosed details of the bug, said it was introduced as a code commit made in April 2021. The GNU C library, also called glibc , is a core library in Linux-based systems that offers foundational features such as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, and exit. glibc's dynamic loader is a crucial component that's responsible for preparing and running programs, including finding the necessarily shared object dependencies required as well as loading them into memory and lin