Looney Tunables (CVE-2023-4911) exploited for privilege escalation

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1068-exploitation-for-privilege-escalation

このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。

Goal

Detect exploitation of CVE-2023-4911, a buffer overflow in GNU C.

Strategy

This vulnerability exists in GNU C Library’s dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. A local attacker could launch a SUID binary with a maliciously crafted GLIBC_TUNABLES value to execute code with elevated permissions. This detection monitors SUID binary executions and alerts when the GLIBC_TUNABLES environment variable is provided.

Triage and response

  1. Inspect the executing process and the @process.envs field to determine if this is expected activity.
  2. Review the process tree and related signals to establish a timeline and determine where the activity originated from.
  3. Follow your organization’s internal processes for investigating and remediating compromised systems.
  4. Find and repair the root cause of the exploit.

Requires Agent version 7.27 or later.