CISA Adds CVE-2023-4911 Vulnerability to KEV Catalog Due to Active Exploitation

A critical vulnerability dubbed Looney Tunables in the GNU C library (glibc), a core component of Linux-based systems, has been added to the U.S. Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) catalog. This means that evidence of active exploitation of the vulnerability has been confirmed, and organizations are urged to patch their systems immediately.

The GNU C Library, commonly referred to as glibc, is a fundamental component of Linux-based systems. It provides essential functionalities like file operations, memory allocation, and thread management. glibc’s dynamic loader, a key element, is responsible for preparing and running programs, managing shared object dependencies, and linking them at runtime.

The vulnerability, tracked as CVE-2023-4911, is a buffer overflow that resides in the dynamic loader’s processing of the GLIBC_TUNABLES environment variable. This means that a malicious attacker could craft a specially crafted GLIBC_TUNABLES environment variable that could cause the dynamic loader to overflow its buffer, potentially allowing the attacker to execute arbitrary code with elevated privileges.

The vulnerability impacts major Linux distributions, including Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13. Other distributions are likely to be vulnerable and exploitable as well. Notably, Alpine Linux is not affected due to its use of the musl libc library instead of glibc.

Cybersecurity firm AquaSec has reported that malicious actors affiliated with the Kinsing cryptojacking syndicate are actively exploiting CVE-2023-4911 to gain unauthorized access to cloud environments. This highlights the urgency for organizations to patch their systems immediately.

CISA has strongly recommended that all Federal Civilian Executive Branch (FCEB) agencies apply vendor-provided fixes for CVE-2023-4911 by December 12, 2023.