Vulnerabilities and Threats

Is Looney Tunables [CVE-2023-4911] as bad as everyone says?


Key Points

Grab security updates for your Linux distributions because there's a security hole that can be easily exploited by rogue users, intruders, and malicious software to gain root access and take over the box.

What is Looney Tunables (CVE-2023-4911)?

Looney Tunables (CVE-2023-4911) is a buffer overflow vulnerability in the GNU C Library's handling of an environmental variable. It was spotted by Qualys, which has gone public with some of the details now that patches are being emitted.  

This ‘Looney Tunables' could pose a risk of unauthorized data access, system alterations, potential data theft, and takeover of vulnerable systems, especially in the IoT and embedded computing.

What systems are at risk?

Fedora, Ubuntu, and Debian are the systems most at risk from the bug (CVE-2023-4911 CVSS 7.8). It's found in the GNU C Library (glibc) in the GNU system, which is found in most systems running the Linux kernel.

Glibc is a library that defines the system calls and other basic functionalities, such as open, malloc, printf, exit, etc., that a typical program requires. The vulnerability occurs in how the dynamic loader of glibc processes the GLIBC_TUNABLES environment variable, the researchers said, thus giving the bug its name.

Should you apply the Looney Tunables patch?

The potential ramifications show the importance of patching (even though the researchers chose not to release their exploit). They did, however, release a technical breakdown of the vulnerability. Active exploitation has been observed by threat actors who are chaining this vulnerability with other vulnerabilities which grant initial access.

While Looney Tunables (CVE-2023-4911) shouldn’t be ignored because it allows unprivileged users on Linux hosts to get administrative access when they shouldn't be able to, it’s not headline news. While it’s a real issue, the attacker has to have a level of access to the server already – in other words it’s not remotely exploitable from your web application or randomly across the internet.

If you have an environment where you give people unprivileged accounts on your server then of course you should mitigate or patch. If you don’t, it's only useful to an attacker as a later stage of an attack, when they already have access. Our advice? Don’t lose any sleep over it.  

Get our free

Ultimate Guide to Vulnerability Scanning

Learn everything you need to get started with vulnerability scanning and how to get the most out of your chosen product with our free PDF guide.

Sign up for your free 14-day trial

7 days free trial