GNU C Library vulnerabilities could impact Linux systems, security company says

Lines of Linux code in shite and red on a black screen
(Image credit: Getty Images)

Security company Qualys has warned of “significant” vulnerabilities it has discovered in the GNU C Library, a key building block of applications in Linux environments.

The GNU C Library project provides the core libraries for the GNU system and GNU/Linux systems, as well as many other systems that use Linux as their kernel. Qualys explained that the GNU C Library – known as glibc – is an essential component of virtually every Linux-based system, serving as the core interface between applications and the Linux kernel.

“The recent discovery of these vulnerabilities is not just a technical concern but a matter of widespread security implications,” said Saeed Abbasi, product manager in the Threat Research Unit at Qualys.

He said the vulnerabilities identified highlight a critical aspect of software security, that even the most foundational and trusted components are not immune to flaws. “The ramifications of these vulnerabilities extend far beyond individual systems, affecting many applications and potentially millions of users worldwide,” he said.

The first vulnerability identified – CVE-2023-6246 – is described by the security company as a “significant security flaw” in the GNU C Library’s __vsyslog_internal() function, affecting syslog() and vsyslog().

It’s a heap-based buffer overflow vulnerability that was inadvertently introduced in glibc 2.37 (back in August 2022) and subsequently backported to glibc 2.36. Qualys said that it had confirmed Linux distributions including Debian versions 12 and 13, Ubuntu 23.04 and 23.10, and Fedora 37 to 39 were vulnerable.

Qualys said the buffer overflow issue poses a significant threat as it could allow local privilege escalation, enabling an unprivileged user to gain full root access through crafted inputs to applications that employ these logging functions.

“Although the vulnerability requires specific conditions to be exploited (such as an unusually long argv[0] or openlog() ident argument), its impact is significant due to the widespread use of the affected library,” Abbasi said, noting a similar issue was reported in December 1997 in an older Linux libc version.

While looking into the function affected by CVE-2023-6246, the company’s security researchers also spotted two additional “albeit minor” vulnerabilities. These were CVE-2023-6779 which involves an off-by-one heap-based buffer overflow in the function, and CVE-2023-6780, an integer overflow issue in the same function. Qualys noted however that triggering these two minor vulnerabilities appears to be more difficult and exploiting them effectively is likely to be more complex.

RELATED RESOURCE

Dark background with white text that says Buyer’s Guide for Developer Security Tools 2022

(Image credit: Synk)

Find and fix security vulnerabilities in your team’s code before it’s too late

DOWNLOAD NOW

Qualys also identified another vulnerability which it described as involving a “subtle yet dangerous flaw” in glibc’s qsort() function. However, the researchers acknowledge that real-world examples of vulnerable programs have not been identified. They said the glibc developers have already addressed this problem in a recent update.

“These flaws highlight the critical need for strict security measures in software development, especially for core libraries widely used across many systems and applications,” Abbasi said.

It’s not the first time Qualys has found vulnerabilities in the GNU C Library: in October 2023 its researchers discovered a buffer overflow vulnerability in GNU C Library’s dynamic loader’s processing of the GLIBC_TUNABLES environment variable. This was a local privilege escalation that grants full root privileges, which it dubbed at the time ‘Looney Tunables’.

Steve Ranger

Steve Ranger is an award-winning reporter and editor who writes about technology and business. Previously he was the editorial director at ZDNET and the editor of silicon.com.