Looney Tunables (CVE-2023-4911) exploited for privilege escalation

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1068-exploitation-for-privilege-escalation

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect exploitation of CVE-2023-4911, a buffer overflow in GNU C.

Strategy

This vulnerability exists in GNU C Library’s dynamic loader ld.so while processing the GLIBC_TUNABLES environment variable. A local attacker could launch a SUID binary with a maliciously crafted GLIBC_TUNABLES value to execute code with elevated permissions. This detection monitors SUID binary executions and alerts when the GLIBC_TUNABLES environment variable is provided.

Triage and response

  1. Inspect the executing process and the @process.envs field to determine if this is expected activity.
  2. Review the process tree and related signals to establish a timeline and determine where the activity originated from.
  3. Follow your organization’s internal processes for investigating and remediating compromised systems.
  4. Find and repair the root cause of the exploit.

Requires Agent version 7.27 or later.

PREVIEWING: may/unit-testing