Transparently preventing GLIBC Looney Tunables (CVE-203-4911) with Ksplice

The ksplice team occasionally fixes userspace security bugs from the kernel. Using the kernel to patch a userspace vulnerability becomes useful when the userspace patch is particularly complex (and the kernel patch might not be), or if the userspace code affects an area of the code which is difficult to patch. A kernel ksplice is now available for CVE-2023-4911 (also known as “Looney Tunables”) which patches the security vulnerability and adds Known Exploit Detection.

CVE-2023-4911 was reported by the Qualys Threat Research Unit which discovered a vulnerability in GNU C Library’s dynamic loader allowing unprivileged users to gain root privilege. The vulnerability exploits a GLIB_TUNABLES environment variable parsing flaw. This vulnerability was patched in Oracle Linux in the following advisories for OL 8, OL 7, OL 6, and Oracle VM.

While ksplice offers the ability to patch userspace glibc, for this particular vulnerability we found it more effective to block such an attack directly using the kernel. In this case, the conditions required to execute the “Looney Tunables” attack can be easily detected by the kernel because we can detect that the user is calling a SUID program as a non-root user, and prevent the system from running that binary in case GLIB_TUNABLES has a wrong format. The attack requires calling a suid binary with specially crafted environmental variables including GLIB_TUNABLES of incorrect format. As an added benefit, we report this attack with the Ksplice Exploit Detection to ensure that operators are aware of the ongoing attack.

Known Exploit Detection allows system administrators to report and alarm on future attempts to exploit that vulnerability even after the system has been patched. The Ksplice team shipped additional protection from the kernel side to ensure that users would be patched without any operator intervention on affected systems, and to log exploitation attempts via Ksplice Known Exploit Detection.

For examples of other userspace vulnerabilities that were patched from the kernel, see kernel-side protection and exploit detection for PWNKIT vulnerability. You can also read more about recent Known Exploit Detection patches on our blog.