CISA Mandates Federal Agencies to Address ‘Looney Tunables’ Linux Vulnerability

November 21, 2023

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a directive to federal agencies, instructing them to secure their systems against a vulnerability that is currently being exploited in major Linux distributions. This vulnerability, known as 'Looney Tunables' and tracked as CVE-2023-4911, allows attackers to gain root privileges.

The 'Looney Tunables' bug was discovered by Qualys' Threat Research Unit. It arises from a buffer overflow weakness in the GNU C Library's dynamic loader. This security flaw affects systems running the latest versions of popular Linux platforms such as Fedora, Ubuntu, and Debian.

System administrators have been urged to apply patches to their systems immediately, as the vulnerability is being actively exploited and several proof-of-concept exploits have been released online since its disclosure in early October. "With the capability to provide full root access on popular platforms like Fedora, Ubuntu, and Debian, it's imperative for system administrators to act swiftly," warned Saeed Abbasi from Qualys.

CISA has added the actively exploited Linux flaw to its Known Exploited Vulnerabilities Catalog, classifying it as a frequent attack vector for malicious cyber actors and a significant risk to the federal enterprise. As a result of its inclusion in the catalog, U.S. Federal Civilian Executive Branch Agencies (FCEB) are required to patch Linux devices on their networks by December 12, in accordance with a binding operational directive issued a year ago.

While the directive primarily targets U.S. federal agencies, CISA has also advised all organizations, including private companies, to prioritize patching the 'Looney Tunables' security flaw. Although CISA did not attribute the ongoing exploitation of 'Looney Tunables', researchers from cloud security company Aqua Nautilus revealed that operators of the Kinsing malware are using the flaw in attacks targeting cloud environments. The attacks begin by exploiting a known vulnerability within the PHP testing framework 'PHPUnit', which allows the attackers to establish a foothold for code execution.

The 'Looney Tunables' issue is then leveraged to escalate privileges. Once root access to compromised Linux devices is gained, threat actors install a JavaScript web shell for backdoor access. This shell enables them to execute commands, manage files, and conduct network and server reconnaissance. The ultimate goal of the Kinsing attackers is to steal cloud service provider (CSP) credentials, specifically targeting access to AWS instance identity data. Kinsing is known for breaching and deploying crypto mining software on cloud-based systems, including Kubernetes, Docker APIs, Redis, and Jenkins. Microsoft has also recently observed the group targeting Kubernetes clusters via misconfigured PostgreSQL containers, while TrendMicro has spotted them exploiting the critical CVE-2023-46604 Apache ActiveMQ bug to compromise Linux systems.

Related News

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.