The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive to federal agencies, instructing them to secure their systems against a vulnerability that is currently being exploited in major Linux distributions. This vulnerability, known as 'Looney Tunables' and tracked as CVE-2023-4911, allows attackers to gain root privileges.
The 'Looney Tunables' bug was discovered by Qualys' Threat Research Unit. It arises from a buffer overflow weakness in the GNU C Library's ld.so dynamic loader. This security flaw affects systems running the latest versions of popular Linux platforms such as Fedora, Ubuntu, and Debian.
System administrators have been urged to apply patches to their systems immediately, as the vulnerability is being actively exploited and several proof-of-concept exploits have been released online since its disclosure in early October. "With the capability to provide full root access on popular platforms like Fedora, Ubuntu, and Debian, it's imperative for system administrators to act swiftly," warned Saeed Abbasi from Qualys.
CISA has added the actively exploited Linux flaw to its Known Exploited Vulnerabilities Catalog, classifying it as a frequent attack vector for malicious cyber actors and a significant risk to the federal enterprise. As a result of its inclusion in the catalog, U.S. Federal Civilian Executive Branch Agencies (FCEB) are required to patch Linux devices on their networks by December 12, in accordance with a binding operational directive issued a year ago.
While the directive primarily targets U.S. federal agencies, CISA has also advised all organizations, including private companies, to prioritize patching the 'Looney Tunables' security flaw. Although CISA did not attribute the ongoing exploitation of 'Looney Tunables', researchers from cloud security company Aqua Nautilus revealed that operators of the Kinsing malware are using the flaw in attacks targeting cloud environments. The attacks begin by exploiting a known vulnerability within the PHP testing framework 'PHPUnit', which allows the attackers to establish a foothold for code execution.