Qualys Warns of a GNU C Library Flaw Leading to a Privilege Escalation Vulnerability in Linux

Researchers at security firm Qualys have warned of a vulnerability in the GNU C Library (glibc) that leaves Linux systems exposed to local privilege escalation attacks — giving anyone on the system full root access.

"We discovered a heap-based buffer overflow in the GNU C Library's __vsyslog_internal() function," the researchers write in their security advisory, brought to our attention by Bleeping Computer, "which is called by both syslog() and vsyslog(). This vulnerability was introduced in glibc 2.37 (in August 2022) […] and was also back-ported to glibc 2.36 because this commit was a fix for another, minor vulnerability in __vsyslog_internal()."

It's a serious problem: according to Qualys, the vulnerability allows for local unprivileged users to carry out a privilege escalation attack — trading their unprivileged account for full root access. As it's in the most commonly-used C library in Linux distributions, it's also broad in scope: the team confirmed it could be exploited in Debian Linux 12 and 13, Ubuntu Linux 23.04 and 23.10, and Fedora Linux 37 through to 39 inclusive.

"To the best of our knowledge," the team confirms in a thankful mitigation, "this vulnerability cannot be triggered remotely in any likely scenario because it requires an argv[0], or an openlog() ident argument, longer than 1024 bytes to be triggered" — meaning it can only be exploited by those who already have access to an unprivileged account on the system.

"In our tests," the researchers add, "it takes a few 10,000s of tries to successfully brute force the exploit parameters (the length of argv[0], and the whitelist option and its associated environment variables). Note: this exploit could certainly be made much more efficient; in theory, it could even be a one-shot exploit, because we do not need to brute force the ASLR [Address Space Layout Randomization], only the heap layout."

The full disclosure is available on the Qualys website, along with a note that demonstrates that there's little new under the sun in software development: "In December 1997," the researchers note, "Solar Designer published information about a very similar vulnerability in the vsyslog() of the old Linux libc."