CVE-2023-4911
Published: 03 October 2023
Summary
CVE-2023-4911 is a high-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Redhat Codeready Linux Builder Eus. Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked in the top 0.5% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
A buffer overflow vulnerability exists in the GNU C Library dynamic loader ld.so during handling of the GLIBC_TUNABLES environment variable. The flaw, tracked as CVE-2023-4911 and assigned CVSS 7.8, affects the processing logic that can be reached when SUID binaries are executed and matches CWE-122 and CWE-787.
A local attacker with the ability to set environment variables can supply a maliciously crafted GLIBC_TUNABLES value when invoking an SUID binary. Successful exploitation grants arbitrary code execution with the privileges of the binary owner, typically root.
Red Hat has published the advisories RHSA-2023:5453, RHSA-2023:5454, RHSA-2023:5455, RHSA-2023:5476, and RHSA-2024:0033 that deliver patched glibc packages. The associated EPSS score reached a peak of 0.7426 and currently stands at 0.6505, indicating material post-disclosure exploitation interest.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-54750
Vulnerability details
A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to…
more
execute code with elevated privileges.
- CWE(s)
- KEV Date Added
- 21 November 2023
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2023-4911 is a buffer overflow in glibc's ld.so exploitable via crafted GLIBC_TUNABLES environment variable when launching SUID binaries, enabling local privilege escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires applying the Red Hat errata patches that eliminate the vulnerable ld.so buffer-overflow code handling GLIBC_TUNABLES.
Mandates input validation on untrusted data (here the GLIBC_TUNABLES environment variable) before it is expanded by the dynamic loader.
Requires minimizing the set of SUID/SGID binaries that an attacker can invoke with a crafted environment, thereby reducing the attack surface for local privilege escalation.