A vulnerability known as "Looney Tunables" has been identified in the GNU C Library (glibc), which can be leveraged by malicious actors to attain root privileges on widely used Linux distributions. This vulnerability, tracked as CVE-2023-4911, is a buffer overflow weakness located within the dynamic loader's handling of the GLIBC_TUNABLES environment variable. The dynamic loader from the GNU C Library is present in most Linux distributions. 

CVE-2023-4911 was discovered by researchers at Qualys, who successfully exploited it on the default configurations of various Linux distributions, including Fedora 7 and 8, Ubuntu 22.04 and 23.04, and Debian 12 and 13. It is likely that other distributions are also vulnerable to attacks, with the exception being the highly secure Alpine Linux. The researchers noted that this exploitation technique is effective against nearly all SUID-root programs that come pre-installed on Linux systems by default. 

Qualys Threat Research Unit Product Manager, Saeed Abbasi, emphasized the significance of an environment variable used for optimizing applications connected to glibc. When misused or exploited, it can have widespread negative impacts on system performance, reliability, and security.  

The vulnerability's ease of exploitation, potentially leading to data-only attacks, poses a major risk to numerous systems. Although there are mitigation steps, Avertium recommends that all users patch as soon as possible.  



avertium's recommendationS

  • On September 4, researchers reported CVE-2023-4911 to Red Hat, leading to the submission of an advisory and patch to the OpenWall open-source security project on September 19.  
  • The patch was officially made available on October 3, prompting multiple Linux distributions to release their updates:  
  • If you can’t patch, Red Hat has mitigation steps that you may find in their advisory




At this time, there are no known IoCs associated with CVE-2023-4911. Avertium remains vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, please reach out to your Avertium Service Delivery Manager or Account Executive.   



How Avertium is Protecting Our CUSTOMERS

  • Fusion MXDR is the first MDR offering that fuse together all aspects of security operations into a living, breathing, threat-resistant XDR solution. By fusing insights from threat intelligence, security assessments, and vulnerability management into our MDR approach, Fusion MXDR offers a more informed, robust, and cost-effective approach to cybersecurity – one that is greater than the sum of its parts. 

  • Avertium offers Vulnerability Management (VM) to provide a deeper understanding and control over organizational information security risks.  If your enterprise is facing challenges with the scope, resources, or skills required to implement a vulnerability management program with your team, outsourced solutions can help you bridge the gap.  


CVE-2023-4911: Looney Tunables - Local Privilege Escalation in the glibc’s ld.so | Qualys Security Blog 

Patch now: This serious Linux vulnerability affects nearly all distributions | ZDNET 

oss-security - Re: CVE-2023-4911: Local Privilege Escalation in the glibc's ld.so (openwall.com) 

'Looney Tunables' Bug Opens Millions of Linux Systems to Root Takeover (darkreading.com) 


Chat With One of Our Experts

Flash Notice Linux Looney Tunables Bug Linux Distributions Blog