Looney Tunables (CVE-2023-4911) exploited for privilege escalation

Goal

Detect exploitation of CVE-2023-4911, a buffer overflow in GNU C.

Strategy

This vulnerability exists in GNU C Library’s dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. A local attacker could launch a SUID binary with a maliciously crafted GLIBC_TUNABLES value to execute code with elevated permissions. This detection monitors SUID binary executions and alerts when the GLIBC_TUNABLES environment variable is provided.

Triage and response

  1. Inspect the executing process and the @process.envs field to determine if this is expected activity.
  2. Review the process tree and related signals to establish a timeline and determine where the activity originated from.
  3. Follow your organization’s internal processes for investigating and remediating compromised systems.
  4. Find and repair the root cause of the exploit.

Requires Agent version 7.27 or later.