OSG-SEC-2023-10-09 HIGH Severity GNU C Library Privilege Escalation
Dear OSG Security Contacts,
A HIGH risk buffer overflow vulnerability was identified in GNU C Library's dynamic loader ld.so which may lead to privilege escalation. [1] [2].
IMPACTED VERSIONS:
This affects RHEL8, RHEL9 and derivatives, but not RHEL7.
WHAT ARE THE VULNERABILITIES:
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
WHAT YOU SHOULD DO:
Where possible, sites running vulnerable versions should update as soon as possible. Note that updating will require a reboot of affected systems [5]. See references below.
Sites also have the option of mitigation [2], however, the mitigation suggested does not persist after a restart, and so updating to a patched version as soon as possible is recommended.
REFERENCES
Thanks to the EGI SVG for bringing this vulnerability to our attention.
[1] https://nvd.nist.gov/vuln/detail/CVE-2023-4911 [2] https://access.redhat.com/security/cve/CVE-2023-4911 [3] https://lists.centos.org/pipermail/centos-announce/ [4] https://errata.almalinux.org/ [5] https://access.redhat.com/solutions/27943
Please contact the OSG security team at [email protected] if you have any questions or concerns. OSG Security Team