A buffer overflow was discovered in the GNU C Library's dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. This issue could allow a local attacker to use maliciously crafted GLIBC_TUNABLES environment variables when launching binaries with SUID permission to execute code with elevated privileges.
Fixes

Solution

No solution given by the vendor.


Workaround

For customers who cannot update immediately and do not have Secure Boot feature enabled, the issue can be mitigated using the provided SystemTap script with the following steps. When enabled, any setuid program invoked with GLIBC_TUNABLES in the environment will be terminated immediately. To invoke the setuid program, users will then have to unset or clear the GLIBC_TUNABLES envvar, e.g. `GLIBC_TUNABLES= sudo` . Note that these mitigation steps will need to be repeated if the system is rebooted. 1) Install required systemtap packages and dependencies as per - https://access.redhat.com/solutions/5441 2) Create the following systemtap script, and name it stap_block_suid_tunables.stp: ~~~ function has_tunable_string:long() { name = "GLIBC_TUNABLES" mm = @task(task_current())->mm; if (mm) { env_start = @mm(mm)->env_start; env_end = @mm(mm)->env_end; if (env_start != 0 && env_end != 0) while (env_end > env_start) { cur = user_string(env_start, ""); env_name = tokenize(cur, "="); if (env_name == name && tokenize("", "") != "") return 1; env_start += strlen (cur) + 1 } } return 0; } probe process("/lib*/ld*.so*").function("__tunables_init") { atsecure = 0; /* Skip processing if we can't read __libc_enable_secure, e.g. core dump handler (systemd-cgroups-agent and systemd-coredump). */ try { atsecure = @var("__libc_enable_secure"); } catch { printk (4, sprintf ("CVE-2023-4911: Skipped check: %s (%d)", execname(), pid())); } if (atsecure && has_tunable_string ()) raise (9); } ~~~ 3) Load the systemtap module into the running kernel: ~~~ stap -g -F -m stap_block_suid_tunables stap_block_suid_tunables.stp ~~~ 4) Ensure the module is loaded: ~~~ lsmod | grep -i stap_block_suid_tunables stap_block_suid_tunables 249856 0 ~~~ 5) Once the glibc package is updated to the version containing the fix, the systemtap generated kernel module can be removed by running: ~~~ rmmod stap_block_suid_tunables ~~~ If Secure Boot is enabled on a system, the SystemTap module must be signed. An external compiling server can be used to sign the generated kernel module with a key enrolled into the kernel's keyring or starting with SystemTap 4.7 you can sign a module without a compile server. See further information here - https://www.redhat.com/sysadmin/secure-boot-systemtap

References
Link Providers
http://packetstormsecurity.com/files/174986/glibc-ld.so-Local-Privilege-Escalation.html cve-icon
http://packetstormsecurity.com/files/176288/Glibc-Tunables-Privilege-Escalation.html cve-icon
http://seclists.org/fulldisclosure/2023/Oct/11 cve-icon
http://www.openwall.com/lists/oss-security/2023/10/03/2 cve-icon
http://www.openwall.com/lists/oss-security/2023/10/03/3 cve-icon
http://www.openwall.com/lists/oss-security/2023/10/05/1 cve-icon
http://www.openwall.com/lists/oss-security/2023/10/13/11 cve-icon
http://www.openwall.com/lists/oss-security/2023/10/14/3 cve-icon
http://www.openwall.com/lists/oss-security/2023/10/14/5 cve-icon
http://www.openwall.com/lists/oss-security/2023/10/14/6 cve-icon
https://access.redhat.com/errata/RHBA-2024:2413 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2023:5453 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2023:5454 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2023:5455 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2023:5476 cve-icon cve-icon
https://access.redhat.com/errata/RHSA-2024:0033 cve-icon cve-icon
https://access.redhat.com/security/cve/CVE-2023-4911 cve-icon cve-icon
https://bugzilla.redhat.com/show_bug.cgi?id=2238352 cve-icon cve-icon
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4DBUQRRPB47TC3NJOUIBVWUGFHBJAFDL/ cve-icon
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/DFG4P76UHHZEWQ26FWBXG76N2QLKKPZA/ cve-icon
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NDAQWHTSVOCOZ5K6KPIWKRT3JX4RTZUR/ cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2023-4911 cve-icon
https://security.gentoo.org/glsa/202310-03 cve-icon
https://security.netapp.com/advisory/ntap-20231013-0006/ cve-icon
https://www.cisa.gov/known-exploited-vulnerabilities-catalog cve-icon
https://www.cve.org/CVERecord?id=CVE-2023-4911 cve-icon
https://www.debian.org/security/2023/dsa-5514 cve-icon
https://www.qualys.com/2023/10/03/cve-2023-4911/looney-tunables-local-privilege-escalation-glibc-ld-so.txt cve-icon cve-icon cve-icon
https://www.qualys.com/cve-2023-4911/ cve-icon cve-icon cve-icon
History

Wed, 30 Jul 2025 02:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'Active', 'Technical Impact': 'Total'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'active', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.70815}

epss

{'score': 0.73151}


Wed, 30 Apr 2025 20:00:00 +0000

Type Values Removed Values Added
References

Tue, 28 Jan 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics kev

{'dateAdded': '2023-11-21'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'Active', 'Technical Impact': 'Total'}, 'version': '2.0.3'}


Mon, 27 Jan 2025 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Netapp
Netapp h300s
Netapp h300s Firmware
Netapp h410c
Netapp h410c Firmware
Netapp h410s
Netapp h410s Firmware
Netapp h500s
Netapp h500s Firmware
Netapp h700s
Netapp h700s Firmware
Netapp ontap Select Deploy Administration Utility
Redhat codeready Linux Builder
Redhat codeready Linux Builder For Arm64
Redhat codeready Linux Builder For Ibm Z Systems
Redhat codeready Linux Builder For Power Little Endian
Redhat enterprise Linux For Arm 64
Redhat enterprise Linux For Ibm Z Systems
Redhat enterprise Linux For Ibm Z Systems Eus
Redhat enterprise Linux For Power Little Endian
Redhat enterprise Linux For Power Little Endian Eus
Redhat enterprise Linux Server For Power Little Endian Update Services For Sap Solutions
CPEs cpe:2.3:o:debian:debian_linux:13.0:*:*:*:*:*:*:* cpe:2.3:a:netapp:ontap_select_deploy_administration_utility:-:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder:9.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_eus:9.2:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_eus:9.4:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_for_arm64:9.0_aarch64:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_for_arm64_eus:9.2_aarch64:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_for_arm64_eus:9.4_aarch64:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems:9.0_s390x:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems_eus:9.2_s390x:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_for_ibm_z_systems_eus:9.4_s390x:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian:9.0_ppc64le:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian_eus:9.2_ppc64le:*:*:*:*:*:*:*
cpe:2.3:a:redhat:codeready_linux_builder_for_power_little_endian_eus:9.4_ppc64le:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h300s:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h410c:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h410s:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h500s:-:*:*:*:*:*:*:*
cpe:2.3:h:netapp:h700s:-:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*
cpe:2.3:o:netapp:h300s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:netapp:h410c_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:netapp:h410s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:netapp:h500s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:netapp:h700s_firmware:-:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:9.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_eus:9.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64:9.0_aarch64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.2_aarch64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_arm_64_eus:9.4_aarch64:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems:9.0_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.2_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_ibm_z_systems_eus:9.4_s390x:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian:9.0_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.2_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_for_power_little_endian_eus:9.4_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:9.2:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_aus:9.4:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.2_ppc64le:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server_for_power_little_endian_update_services_for_sap_solutions:9.4_ppc64le:*:*:*:*:*:*:*
Vendors & Products Netapp
Netapp h300s
Netapp h300s Firmware
Netapp h410c
Netapp h410c Firmware
Netapp h410s
Netapp h410s Firmware
Netapp h500s
Netapp h500s Firmware
Netapp h700s
Netapp h700s Firmware
Netapp ontap Select Deploy Administration Utility
Redhat codeready Linux Builder
Redhat codeready Linux Builder For Arm64
Redhat codeready Linux Builder For Ibm Z Systems
Redhat codeready Linux Builder For Power Little Endian
Redhat enterprise Linux For Arm 64
Redhat enterprise Linux For Ibm Z Systems
Redhat enterprise Linux For Ibm Z Systems Eus
Redhat enterprise Linux For Power Little Endian
Redhat enterprise Linux For Power Little Endian Eus
Redhat enterprise Linux Server For Power Little Endian Update Services For Sap Solutions

Fri, 22 Nov 2024 12:00:00 +0000


Tue, 17 Sep 2024 20:00:00 +0000

Type Values Removed Values Added
First Time appeared Canonical
Canonical ubuntu Linux
Debian
Debian debian Linux
CPEs cpe:2.3:o:canonical:ubuntu_linux:22.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:23.04:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:13.0:*:*:*:*:*:*:*
Vendors & Products Canonical
Canonical ubuntu Linux
Debian
Debian debian Linux

Mon, 16 Sep 2024 14:45:00 +0000


Wed, 14 Aug 2024 01:00:00 +0000

Type Values Removed Values Added
References

cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2025-08-21T08:14:06.311Z

Reserved: 2023-09-12T13:10:32.495Z

Link: CVE-2023-4911

cve-icon Vulnrichment

Updated: 2024-08-02T07:44:52.050Z

cve-icon NVD

Status : Analyzed

Published: 2023-10-03T18:15:10.463

Modified: 2025-05-06T21:02:34.223

Link: CVE-2023-4911

cve-icon Redhat

Severity : Important

Publid Date: 2023-10-03T17:00:00Z

Links: CVE-2023-4911 - Bugzilla

cve-icon OpenCVE Enrichment

No data.