Qualys researchers have discovered a critical vulnerability in Linux’s GNU C Library (glibc), which could potentially enable attackers to gain full root access to a system. This vulnerability, officially designated as CVE-2023-6246, is a heap-based buffer overflow issue discovered in the __vsyslog_internal() function of the glibc. This function is commonly called by the frequently utilized syslog() and vsyslog() logging functions.
An attacker without privileges could exploit this vulnerability by supplying an argv or openlog() ident argument that exceeds 1024 bytes. This action would overflow the __vsyslog_internal() buffer and overwrite the name field of a heap-based struct nss_module with a character string containing a slash. As a result, a shared library located in the attacker’s working directory would be loaded and executed with root privileges. This is according to the technical documentation provided by Qualys regarding their findings.
However, as Qualys highlights, it would require thousands of attempts to brute force the exploit parameters, such as the length of argv and other variables. This makes it unlikely for the vulnerability to be remotely triggered. Despite this, the severity of the bug should not be downplayed, as it could provide an attacker with full root access via carefully crafted inputs to applications that use the syslog() and vsyslog() logging functions.
"Although the vulnerability requires specific conditions to be exploited (such as an unusually long argv or openlog() ident argument), its impact is significant due to the widespread use of the affected library,” Qualys points out.
The flaw was first introduced in glibc version 2.37 in August 2022 and was backported to glibc 2.36 while addressing a different issue. According to Qualys, the CVE-2023-6246 bug affects major Linux distributions. The vulnerability was fixed in glibc 2.38, an update that also resolves five other security defects discovered by the Qualys team.
In addition to this, the Qualys researchers brought to light another issue in glibc, found in the library’s qsort() function, which could result in memory corruption and affects all glibc versions from 1.04 (September 1992) through 2.38 (January 2024).