Another security issue.

[kc1di]

Make sure your install of any of the Distros mentioned is up to date.

New 'Looney Tunables' Linux bug gives root on major distros

A new Linux vulnerability, known as 'Looney Tunables' and tracked as CVE-2023-4911, enables local attackers to gain root privileges by exploiting a buffer overflow weakness in the GNU C Library's ld.so dynamic loader.

www.bleepingcomputer.com

 

[Condobloke]

Good find, Dave.

Linux is not the perfect safe haven it is thought to be....there are people working away in the background, discovering things like this which will bring Linux/Ubuntu/Fedora/Debian OS's unstuck if care is not taken, particularly regarding the timely download and install of security updates.

To be clear, an 'exploit' such as this gives a remote intruder access to root privileges on default installations of Debian 12 and 13, Ubuntu 22.04 and 23.04, and Fedora 37 and 38
Gaining Root privileges means they can do whatever they like on those systems

?? Is your system fully updated ??

 

[KGIII]

This section of the forum goes largely unnoticed, as far as I can tell:

https://www.linux.org/forums/linux-security-announcements-automated.14/

You'll also see a lot of security issues there.

 

[osprey]

Good find, Dave.

Linux is not the perfect safe haven it is thought to be....there are people working away in the background, discovering things like this which will bring Linux/Ubuntu/Fedora/Debian OS's unstuck if care is not taken, particularly regarding the timely download and install of security updates.

To be clear, an 'exploit' such as this gives a remote intruder access to root privileges on default installations of Debian 12 and 13, Ubuntu 22.04 and 23.04, and Fedora 37 and 38
Gaining Root privileges means they can do whatever they like on those systems

?? Is your system fully updated ??

The bug appears to have been discovered by a research company who research these matters among other things, so there doesn't appear to be any use of the exploit which has caused a problem for linux users. It's been fixed upstream, so updating will resolve the issue.

At the bottom of this page: https://www.helpnetsecurity.com/2023/10/05/cve-2023-4911/
one can select links to the following distros: Ubuntu, RedHat, Debian, Fedora, Gentoo, where there is more information on the fixes and the versions of glibc that include the fixes in some cases.

Briefly, the info is as follows:
For the debian stable distribution (bookworm), this problem has been fixed in version 2.36-9+deb12u3.
For fedora looks like it needs glibc-2.38-6.fc39.
For Red Hat on its site, there's some code available, and a table to see the now unaffected versions.
For ubuntu 23.04, upgrade to libc6 - 2.37-0ubuntu2.1, and ubuntu 22.04, to libc6 - 2.35-0ubuntu3.4.

 

[Condobloke]

t's been fixed upstream, so updating will resolve the issue.

Good to know

For what its Worth, I searched for libc6 in Linux Mint 21.2, Synaptic Package Manager, and found:

The entries with a dark green square at the start of a line signify that it is installed.

It would be of interest to see others results of a similar search in their chosen distros.

 

[Condobloke]

Linux distribution vendors are urging users to upgrade to a non-vulnerable version of the library: Ubuntu, RedHat, Debian, Fedora, Gentoo.
Note that 'Ubuntu' and 'Debian' include the likes of Linux Mint and LMDE6

 

[osprey]

It would be of interest to see others results of a similar search in their chosen distros.

Debian trixie is fine:

[flip@flop ~]$ apt policy libc6
libc6:
  Installed: 2.37-10
  Candidate: 2.37-10
  Version table:
 *** 2.37-10 500
        500 http://ftp.au.debian.org/debian trixie/main amd64 Packages
        100 /var/lib/dpkg/status

 

[Condobloke]

Ditto !

brian@brian-desktop:~$ apt policy libc6
libc6:
  Installed: 2.35-0ubuntu3.4
  Candidate: 2.35-0ubuntu3.4
  Version table:
 *** 2.35-0ubuntu3.4 500
        500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages
        500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
        100 /var/lib/dpkg/status
     2.35-0ubuntu3 500
        500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages
brian@brian-desktop:~$

There you are folks.....the code to use is Thanks to @osprey )

apt policy libc6

 

[Condobloke]

It appears that Alpine Linux is not susceptible to this

about | Alpine Linux

Alpine Linux

www.alpinelinux.org

 

[KGIII]

Assuming responsible reporting and responsible project maintainers, the fix should be available before the security issue/bug is made public. It's when the project doesn't fix it for months on end that it becomes a major problem.

 

[Condobloke]

Assuming responsible reporting and responsible project maintainers, the fix should be available before the security issue/bug is made public. It's when they project doesn't fix it for months on end that it becomes a major problem.

And I would assume the PC owners installing all updates would play a huge part as well.

 

[osprey]

It appears that Alpine Linux is not susceptible this

about | Alpine Linux

Alpine Linux

www.alpinelinux.org

Alpine, wonderful distro that it is, doesn't use glibc, but musl-libc which is an independent lightweight version of libc, and fits with Alpine's "smallness" capability, though it can be made into a comprehensive distro if one wishes to.

 

[KGIII]

And I would assume the PC owners installing all updates would play a huge part as well.

I don't say anything much, but I have serious thoughts and opinions about those people who refuse to upgrade. They're not just a security risk to themselves because they're putting these systems online. So, they're possibly spam bots, C&C endpoints, DDoS tools, open proxies, etc...

 

[Condobloke]

They're not just a security risk to themselves because they're putting these systems online

My thoughts exactly.
This exactly why I regarded this post with trepidation
The risk to others perhaps not as well versed as you and I, could be quite high

 

[KGIII]

The risk to others perhaps not as well versed as you and I, could be quite high

Thus the comment. The post doesn't violate any rules but should come with a GIANT caveat. Running this on a public-facing device is just a horrible idea.

Back in the day, there were times when an unpatched Windows XP would be compromised within minutes of going online. I figure that's pretty much true for any OS that old, including Linux. Of course, XP wasn't a true multi-user system and that made it easier, but serious vulnerabilities exist for an OS as old as 09.04.

 

[wizardfromoz]

You'll also see a lot of security issues there.

Including the subject matter, it is referred to here, by our LinuxBot (security)

https://www.linux.org/threads/dsa-5514-glibc-security-update.46954/

Cheers

Wiz

 

[wizardfromoz]

This exactly why I regarded this post with trepidation

Thus the comment. The post doesn't violate any rules but should come with a GIANT caveat.

Done.

Cheers

 

[KGIII]

Including the subject matter, it is referred to here, by our LinuxBot (security)

I could almost justify showing the posts to that sub in the main feed, but I figure people would either ignore it or complain. I get a bunch of security information via email, through various mailing lists.

 

[KGIII]

So, the user decided to edit out @wizardfromoz's addition. That left me with few options as it went back through the approval queue, so it just got deleted.

(In case folks wonder where the linked page has gone and why it has gone.)

 

[wizardfromoz]

Didn't know they could do that, lol, but at least it went through Approval.

Now he has broken the Rules, in part

We may remove or modify any Content submitted at any time, with or without cause, with or without notice. Requests for Content to be removed or modified will be undertaken only at our discretion.

Emphasis is in that I modified his OP.

I have warned him.