CISA Mandates Federal Agencies to Address ‘Looney Tunables’ Linux Vulnerability

November 21, 2023

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive to federal agencies, instructing them to secure their systems against a vulnerability that is currently being exploited in major Linux distributions. This vulnerability, known as 'Looney Tunables' and tracked as CVE-2023-4911, allows attackers to gain root privileges.

The 'Looney Tunables' bug was discovered by Qualys' Threat Research Unit. It arises from a buffer overflow weakness in the GNU C Library's ld.so dynamic loader. This security flaw affects systems running the latest versions of popular Linux platforms such as Fedora, Ubuntu, and Debian.

System administrators have been urged to apply patches to their systems immediately, as the vulnerability is being actively exploited and several proof-of-concept exploits have been released online since its disclosure in early October. "With the capability to provide full root access on popular platforms like Fedora, Ubuntu, and Debian, it's imperative for system administrators to act swiftly," warned Saeed Abbasi from Qualys.

CISA has added the actively exploited Linux flaw to its Known Exploited Vulnerabilities Catalog, classifying it as a frequent attack vector for malicious cyber actors and a significant risk to the federal enterprise. As a result of its inclusion in the catalog, U.S. Federal Civilian Executive Branch Agencies (FCEB) are required to patch Linux devices on their networks by December 12, in accordance with a binding operational directive issued a year ago.

While the directive primarily targets U.S. federal agencies, CISA has also advised all organizations, including private companies, to prioritize patching the 'Looney Tunables' security flaw. Although CISA did not attribute the ongoing exploitation of 'Looney Tunables', researchers from cloud security company Aqua Nautilus revealed that operators of the Kinsing malware are using the flaw in attacks targeting cloud environments. The attacks begin by exploiting a known vulnerability within the PHP testing framework 'PHPUnit', which allows the attackers to establish a foothold for code execution.

The 'Looney Tunables' issue is then leveraged to escalate privileges. Once root access to compromised Linux devices is gained, threat actors install a JavaScript web shell for backdoor access. This shell enables them to execute commands, manage files, and conduct network and server reconnaissance. The ultimate goal of the Kinsing attackers is to steal cloud service provider (CSP) credentials, specifically targeting access to AWS instance identity data. Kinsing is known for breaching and deploying crypto mining software on cloud-based systems, including Kubernetes, Docker APIs, Redis, and Jenkins. Microsoft has also recently observed the group targeting Kubernetes clusters via misconfigured PostgreSQL containers, while TrendMicro has spotted them exploiting the critical CVE-2023-46604 Apache ActiveMQ bug to compromise Linux systems.

Related News

• Kinsing Malware Exploits Apache ActiveMQ Flaw to Attack Linux Systems
• Stealthy EDR Bypass Enabled by Dangerous Apache ActiveMQ Exploit
• TellYouThePass Ransomware Exploits Apache ActiveMQ RCE Vulnerability
• Kinsing Threat Actors Exploit Looney Tunables Flaw in Cloud Environments
• HelloKitty Ransomware Targets Apache ActiveMQ Servers

Latest News

• Critical Security Flaw Detected in WAGO Industrial Managed Switch
• Citrix Urges Administrators to Terminate NetScaler User Sessions Amidst Hacker Threats
• Windows Zero-Day CVE-2023-36025 Vulnerability: PoC Exploit Published by Researchers
• Delays in Updating Known Exploited Vulnerabilities (KEV) Catalog Pose Risks
• CISA Issues Cybersecurity Guidelines for Healthcare and Public Health Entities