Today, CISA ordered U.S. federal agencies to secure their systems against an actively exploited vulnerability that lets attackers gain root privileges on many major Linux distributions.
Dubbed 'Looney Tunables' by Qualys' Threat Research Unit (who discovered the bug) and tracked as CVE-2023-4911, this security vulnerability is due to a buffer overflow weakness in the GNU C Library's ld.so dynamic loader.
The security flaw impacts systems running the latest releases of widely used Linux platforms, including Fedora, Ubuntu, and Debian in their default configurations.
Administrators are urged to patch their systems as soon as possible, seeing that the vulnerability is now actively exploited and several proof-of-concept (PoC) exploits have been released online since its disclosure in early October.
"With the capability to provide full root access on popular platforms like Fedora, Ubuntu, and Debian, it's imperative for system administrators to act swiftly," Qualys' Saeed Abbasi warned.
CISA also added the actively exploited Linux flaw to its Known Exploited Vulnerabilities Catalog today, including it in its list of "frequent attack vectors for malicious cyber actors" and posing "significant risks to the federal enterprise."
Following its inclusion in CISA's KEV list, U.S. Federal Civilian Executive Branch Agencies (FCEB) must patch Linux devices on their networks by December 12, as mandated by a binding operational directive (BOD 22-01) issued one year ago.
Although the BOD 22-01 primarily targets U.S. federal agencies, CISA also advised all organizations (including private companies) to prioritize patching the Looney Tunables security flaw immediately.
Exploited in Kinsing malware attacks
While CISA didn't attribute the ongoing Looney Tunables exploitation, security researchers with cloud security company Aqua Nautilus revealed two weeks ago that Kinsing malware operators are using the flaw in attacks targeting cloud environments.
The attacks start with exploiting a known vulnerability within the PHP testing framework 'PHPUnit.' This initial breach allows them to establish a code execution foothold, followed by leveraging the 'Looney Tunables' issue to escalate their privileges.
After gaining root access to compromised Linux devices, threat actors install a JavaScript web shell for backdoor access. This shell allows them to execute commands, manage files, and conduct network and server reconnaissance.
The Kinsing attackers' ultimate goal is to steal cloud service provider (CSP) credentials, aiming for access to AWS instance identity data.
Kinsing is known for breaching and deploying crypto mining software cloud-based systems, including Kubernetes, Docker APIs, Redis, and Jenkins.
Microsoft has also recently observed the group targeting Kubernetes clusters via misconfigured PostgreSQL containers, while TrendMicro spotted them exploiting the critical CVE-2023-46604 Apache ActiveMQ bug to compromise Linux systems.
Comments
GT500 - 5 months ago
Why don't articles like this list exactly what software/API is vulnerable, the effected versions, the versions that contain the patch, and what all needs to be updated in the case of a vulnerability effecting multiple things? Sure we can just go install updates and reboot our servers, hoping the "shotgun approach" covers everything, but without knowing at least effected packages and version numbers containing the patch we can't know for certain if we even have the patch installed without doing additional research beyond the news article.
serghei - 5 months ago
I linked to the Red Hat advisory when I first mentioned the CVE ID. You have all that info there.
GT500 - 5 months ago
I did see that, but why not just put that info in the article? If people know they will get all the info they need in your articles, it encourages them to click on the article to load it in the first place rather than just reading the headline and looking somewhere else for that info. Most people are probably just going to skim the article for the info, not see it, and go somewhere else.