Major Linux distros targeted by hackers exploiting this significant flaw

Linux
He can work for you (Image credit: Linux Foundation)

A high-severity flaw has been sitting in many Linux endpoints for two years now, potentially allowing threat actors to run malicious code with elevated privileges. 

This is according to cybersecurity researchers from Qualys’ Threat Research Unit, which shared in its writeup, that the flaw is tracked as CVE-2023-4911. This is a buffer overflow weakness in the GNU C Library’s (glibc) Id.so dynamic loader, first introduced with glibc 2.34, back in April 2021.

"Our successful exploitation, leading to full root privileges on major distributions like Fedora, Ubuntu, and Debian, highlights this vulnerability’s severity and widespread nature," said Saeed Abbasi, Product Manager at Qualys' Threat Research Unit. "Although we are withholding our exploit code for now, the ease with which the buffer overflow can be transformed into a data-only attack implies that other research teams could soon produce and release exploits.”

Looney Tunables

“This could put countless systems at risk, especially given the extensive use of glibc across Linux distributions," Abbasi concluded.

The flaw rears its ugly head, the researcher further explained, when processing GLIBC_TUNABLES environment variable on default installations of Debian 12 and 13, Ubuntu 22.04 and 23.04, and Fedora 37 and 38. Alpine Linux is home-free as it uses musl libc, it was also added.

As a result, low-privileged attackers can run low-complexity attacks without the need for the victim to interact in any way. 

"With the capability to provide full root access on popular platforms like Fedora, Ubuntu, and Debian, it’s imperative for system administrators to act swiftly," the researcher warned. "While Alpine Linux users can breathe a sigh of relief, others should prioritize patching to ensure system integrity and security."

Qualys dubbed the vulnerability “Looney Tunables”.

Via BleepingComputer

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Close up of the Linux penguin.
A new Linux backdoor is hitting US universities and governments
Representational image depecting cybersecurity protection
OpenSSH vulnerabilities could pose huge threat to businesses everywhere
coding
Popular open source vulnerability scanner Nuclei forced to patch worrying security flaw
A hacker wearing a hoodie sitting at a computer, his face hidden.
Experts warn this critical PHP vulnerability could be set to become a global problem
Digital image of a lock.
Nvidia systems could be facing another worrying security flaw
A person at a laptop with a cybersecure lock symbol floating above it.
Hackers are still using old Ivanti bugs to break into networks
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Sam Altman and OpenAI
OpenAI is upping its bug bounty rewards as security worries rise
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Dangerous new CoffeeLoader malware executes on your GPU to get past security tools
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Latest in News
Google Pixel Watch 3 side dial and button
Google Gemini reportedly spotted on Wear OS – could a rollout be close at hand?
Nintendo Switch 2 Joy-Con up-close from app store
Nintendo's new app gave us another look at the Switch 2, and there's something different with the Joy-Con
cheap Nintendo Switch game deals sales
Nintendo didn't anticipate that Mario Kart 8 Deluxe was 'going to be the juggernaut' for the Nintendo Switch when it was ported to the console, according to former employees
Toni Collette in Hereditary
Everything leaving Netflix in April 2025 – from the scariest movie ever made to a beloved DreamWorks animation with 99% on Rotten Tomatoes
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think