Ksplice Known Exploit Detection for GLIBC vulnerability CVE-2023-6246

March 19, 2024 | 2 minute read
Denis Efremov
Ksplice Team
Text Size 100%:

This post is part of a regular series on Oracle Ksplice’s Known Exploit Detection. CVE-2023-6246 is a security vulnerability in the glibc library that allows a local attacker to escalate their privileges. Oracle Linux doesn’t use the vulnerable glibc versions. However, we decided to implement known exploit detection for this vulnerability in the kernel that will allow system administrators to report and alarm future attempts to exploit the vulnerability.

Why Exploit Detection Matters

Oracle Linux provides zero-downtime security updates for kernel and userspace with Ksplice technology without any operator intervention. However, we also provide tripwires that alarm system administrators in case there is an attempt to exploit a known vulnerability. This matters because in some cases it could signify there is already some limited malicious access to the system in case of a local attack either because of a misconfiguration or unverified software installed or a malicious user.

We are very specific about the vulnerabilities that get Known Exploit Detection: the vulnerabilities have to be significant and likely to be exploited by malicious users. Not every patched vulnerability will receive Known Exploit Detection, it’s reserved for high-profile vulnerabilities. Usually, we ship it only for kernel vulnerabilities. However, CVE-2023-6246 is the glibc vulnerability, the most important component of the operating system after the kernel.

GLIBC vulnerability CVE-2023-6246

CVE-2023-6246 was reported by the Qualys Threat Research Unit which discovered a vulnerability in GNU C Library’s syslog-related function allowing unprivileged users to gain root privilege. The privilege escalation can be gained by heap buffer overflow exploitation which involves execve syscall with argv[0] longer than 1024 bytes.

Oracle Linux doesn’t use CVE-2023-6246 vulnerable glibc versions (2.36+). However, we added Known Exploit Detection to the kernel because executing SUID binaries with length(argv[0]) > 1024 is a very uncommon activity in the system which highly likely means there is already an unprivileged malicious user in the system. We report this case with the Ksplice Exploit Detection to ensure that administrators are aware of the ongoing attack.

For examples of other userspace vulnerabilities that were patched from the kernel, see kernel-side protection and exploit detection for PWNKIT vulnerability, “Looney Tunables” vulnerability. You can also read more about recent Known Explout Detection patches on our blog.

Denis Efremov

Ksplice Team

Previous Post

Customers choose Oracle Linux for OCI workloads

Julie Wong | 3 min read

Next Post

Maximize database performance with Oracle Exadata and Oracle Linux

Gursewak Sokhi | 8 min read