Dark
Light

Critical Glibc Bug Puts Linux Distributions at Risk

1 min read
79 views

The dynamic loader of the GNU C Library now contains a new buffer overflow vulnerability, which has been identified by security researchers from the Qualys Threat Research Unit ( TRU), illuminating the potential risks to Linux distributions posed by this flaw.

The GLIBC_TUNABLES environment variable, a feature introduced in glibc to allow users to fine-tune the library’s behavior at runtime, is affected by the vulnerability in question. &nbsp,

According to Saeed Abbasi, manager of vulnerability research at Qualys, a powerful exploit can enable attackers to obtain root privileges and enable illicit data access, alteration, or deletion as well as possibly leveraging additional attacks by escalating permissions.

” An arbitrary code execution is a real and tangible threat, and this buffer overflow is simply vulnerable.”

On default installations of well-known Linux distributions like Fedora 37 and 38, Ubuntu 22.04 and 23, and Android 12 and 13, the research team was able to effectively identify and take advantage of this vulnerability. Although the vulnerability was first made available in April 2021, another distributions are probably just as vulnerable. Alpine Linux is a notable exception because it uses musl libc rather than glibc.

Essentially, the dynamic loader of the GNU C Library is essential for creating and running programs, making it a security-sensitive element. This loader examines a program when it is started, finds the necessary shared libraries, loads them into memory, and connects them to the executable at runtime.

Concerns are raised by the presence of a buffer overflow vulnerability in the handling of the GLIBC_TUNABLES environment varying because it could harm system performance, dependability, and security. &nbsp,

Due to their extensive use of the Linux kernel within custom operating systems, IoT devices are the most susceptible to this glibc vulnerability, according to John Gallagher, vice president of Viakoo Labs.

There will be a protracted process to make sure that all IoT device manufacturers are remediated, in addition to unique schedules for patch production.

On September 4, the Qualys TRU&nbsp informed Linux package maintainers of the problem, and on September 19, a patch was sent. To reduce the risk it poses to Linux distributions, the team advised security teams to prioritize fixing this flaw.

The ease with which this buffer overflow can be converted into a data-only attack raises questions about possible future exploits, even though the research team has not disclosed the exploit code.

There is a significant risk of integrating this vulnerability into integrated tools, worms, or other malicious software, which would facilitate widespread exploitation of susceptible systems, Abbasi continued.

Organizations must exercise extreme caution to protect their systems and data from possible compromise through this glibc vulnerability given the specifics of the provided exploitation path.

Leo Portal

Leo is an expert in the field of smart city research and an overall tech-enthusiast with an emphasis on smart energy, IOT, smart homes and governance. After a master degree in international administration at the University of Gothenburg in Sweden, and a master in public management at Fudan University in China, he pursued research studies in the field of smart cities at the European University Institute. This led him to publish multiple articles on smart cities. Among them “Using Smart People to Build Smarter: How Smart Cities Attract and Retain Highly Skilled Workers to Drive Innovation (Belgium, Denmark, the Netherlands, Poland)” published in the Smart Cities and Regional Development Journal (SCRD) and “Establishing Participative Smart Cities: Theory and Practice”, also published in the SCRD Journal. He regularly audits and advises municipalities and regional governments on their smart city strategies. He is currently writing a chapter for Springer on smart mobility in French smart cities.

Leave a Reply

Your email address will not be published.

nsa, ai, artificial intelligence
Previous Story

the USA NSA Establishes AI Security Center

Next Story

Call to Double R&D to Forge Tomorrow’s Economy

Latest from Technology

Don't Miss