CVE-2023-4911: 
NixOS vulnerability analysis and mitigation

A buffer overflow vulnerability (CVE-2023-4911), also known as 'Looney Tunables', was discovered in the GNU C Library's dynamic loader (ld.so) while processing the GLIBCTUNABLES environment variable. The vulnerability was introduced in April 2021 (glibc 2.34) and could allow a local attacker to use maliciously crafted GLIBCTUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges (Qualys Advisory, NVD).

The vulnerability exists in the parsetunables() function of the dynamic loader. When a GLIBCTUNABLES environment variable is formatted as 'tunable1=tunable2=AAA' (where tunable1 and tunable2 are SXID_IGNORE tunables), it causes a buffer overflow condition. During the first iteration, the entire string is copied in-place, filling up the buffer. In the second iteration, 'tunable2=AAA' is appended as if it were a second tunable, causing the overflow. The vulnerability has a CVSS v3.1 base score of 7.8 (HIGH) with vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (Red Hat CVE).

The vulnerability allows local attackers to obtain full root privileges on affected systems. It has been successfully exploited on default installations of multiple Linux distributions including Fedora 37 and 38, Ubuntu 22.04 and 23.04, and Debian 12 and 13. The vulnerability affects almost all SUID-root programs installed by default on Linux systems, with few exceptions like sudo (due to its own ELF RUNPATH), and certain programs protected by SELinux or AppArmor (Qualys Advisory).

The primary mitigation is to update the glibc package to a patched version. The vulnerability has been fixed in various distributions: Debian (version 2.31-13+deb11u7 for bullseye and 2.36-9+deb12u3 for bookworm), Red Hat Enterprise Linux 9 (via RHSA-2023:5453), RHEL 8 (via RHSA-2023:5455), and Fedora (glibc-2.36-14.fc37 for Fedora 37). Alpine Linux users are not affected as it uses musl libc instead of glibc (Debian Security Advisory, Red Hat Advisory).

The vulnerability has received significant attention from the security community due to its high severity and widespread impact. It was discovered and reported by Qualys Research Labs, who coordinated the disclosure with major Linux distributions. The vulnerability was added to CISA's Known Exploited Vulnerabilities Catalog, requiring federal agencies to apply mitigations (NVD).