This Week In Security: Looney Tunables, Not A 0-day*, And Curl Warning

This week starts out with a nifty vulnerability in the glibc dynamic loader. This is an important step in running a binary executable on Linux, as it pulls the list of required shared libraries, and loads those libraries into memory. Glibc also includes a feature to adjust some runtime settings, via the GLIBC_TUNABLES environment variable. That’s where the vulnerability resides, and researchers from Qualsys obviously had a bit of fun in taking inspiration to pick the vulnerability name, “Looney Tunables”.

The problem is memory handling in the sanitizing parser. This function iterates through the environment variable, looking for strings of tunable1=aa, separated by colons. These strings get copied to the sanitized buffer, but the parsing logic goes awry when handling the malformed tunable1=tunable2=AAA. The first equals sign is taken at face value, copying the rest of the string into the buffer. But then the second equals sign is also processed as another key=value pair, leading to a buffer overflow.

The reason this particular overflow is interesting is that if the binary to be run is a Set-User-ID (SUID) root application, the dynamic loader runs as root, too. If the overflow can achieve code execution, then it’s a straightforward privilege escalation. And since we’re talking about it, you know there’s a way to execute code. It turns out, it’s possible to overwrite the pointer to the library search path, which determines where the dynamic loader will look for libraries. Tell it to look first in an attacker-controlled location, and you can easily load a malicious for instant code execution.

This vulnerability affects many Linux distros, and there’s already a Proof of Concept (PoC) published. So, it’s time to go check for updates for cve-2023-4911.

Yo Dog, I heard you Liked Linux Servers

Someone put a vulnerable Linux server in your Linux servers. Naturally that’s the Baseboard Management Controller (BMC) found in many server-class computers. Admittedly, it’s extremely convenient to have a way to access a remote server for re-installs, or to get back in after a firewall configuration change goes wrong. But the old advice still rings true: Don’t put it on the Internet!

Supermicro’s BMC firmware is in the cross-hairs here, and one of the first vulnerabilities found was command injection in the email alerts settings. It’s a trivial case where a shell command is composed of values set in the interface, and then run as root. Yes, my email is;, why do you ask?

That’s only good for an authenticated user. So you’ll be thrilled to know there’s also a couple ways to bypass authentication. The most straightforward is to construct a URL that points to the BMC, and includes some JS as an argument. Get an authenticated user to click the link, and the JS executes in their session. But that requires user interaction — falling for the malicious link.

So there’s one more approach — poison. The BMC web app stores settings like preferred language in the user cookie. And that value is then inserted into the BMC pages on each load. If an attacker can poison the cookie, a script can run on every page load. While this doesn’t require falling for the trick repeatedly, it does still require a toe-hold, most likely via the doctored link. Amid the normal wrangling between vendor and researcher about how critical each issue really is, Supermicro has published updates addressing the issues.

Lines of sheer terror

Why do we need Wayland? Because X11 has vulnerabilities that have been in the code base since 1988 — and one from 1996, and two from 1998. One of those bugs is an integer overflow when creating an image, and leads to a heap overflow. Of all the issues, this seems to be likely to lead to code execution. This sort of brokenness has been known about for over a decade now, and is one of the main reasons so many distros and developers are pushing for Wayland.

Not a vulnerability? OK, We’ll Publish Now

The write-up from Watchtowr Labs on problems found in the Sangfor Next Generation Application Firewall (NGAF) is a delight — if you enjoy thinly veiled sardonic mockery. The NGAF has multiple unfortunate vulnerabilities, with the worst being a unauthenticated command injection attack in the username of the login page. Yes, my username really is bobby.tables; nc -e /bin/bash, why do you ask?

So here’s where the mockery comes from. When the Watchtowr team contacted Sangfor to report these disastrous problems in their “truly secured, integrated and simplified firewall solution”, Sangfor responded that the problems were all either already fixed, or were false positives. That means that Watchtowr can release their findings right away, and not worry about them being 0-days. It’s sort of the ultimate in calling an OEM’s bluff. And for our money? Maybe stick to brands that do a bit better responding to security problems.


On the 11th, this upcoming Wednesday, be on the lookout for a curl update that fixes a high severity curl/libcurl vulnerability. There aren’t any details available yet, besides the ominous warning from the curl team that it’s serious.

Bits and Bytes

Exim has a set of six bugs that were reported through ZDI, released publicly on September 27th. Three of those issues were fixed October 3rd with release 4.96.1, with the other three still pending. What makes this particularly troubling is that ZDI started the disclosure process in June of 2022. Not a good look for Exim.

There continues to be a campaign of malicious Python packages, working to steal data and redirect cryptocurrency from anyone unfortunate enough to download one of the packages. The payload seems to only trigger on Windows systems, and the known packages have managed a distressing-yet-impressive 75,000 total downloads.

BinDiff is now open source. This useful tool from Google is all about sniffing out what changed between versions of software, when all you have to work from is the binaries. It does some limited decompiling, too. Perfect tool for reverse engineering a security patch.

8 thoughts on “This Week In Security: Looney Tunables, Not A 0-day*, And Curl Warning

  1. Got to ponder on if Wayland is actually going to be any better, history seems suggest not really – we just don’t have all these years of huge numbers of people actively looking for or accidentally finding the bugs.

    That Sangfor stuff though, I think I want to go back to discreet ‘dumb’ logic based electronics and books as the medium for passing information around… At least the code has some programmers frustration evident in it for amusement value.

    1. The protocol itself might be more secure due to restricting program’s access to stuff but if the compositor itself is implemented in C/whatever there’s nothing stopping it from having overflow errors, out of bounds accesses, etc

      1. Indeed, and even if the concept was perfectly executed with no security flaws at all (impossible but go with it) when Wayland can first be considered functional it almost certainly won’t stay that way – features evolve and get added, the interactions between other elements change. And as complexity grows stupid little how did I miss that interaction oversights become more likely.

        There is always going to be some flaw in there when dealing with just complex and dynamic situations.

      2. Problem is -Wayland is now 15? years old. It was intended as simple replacement to X11, yet it isn’t even complete and it takes on more and more features from X11, and not even close to replacing it – there will still be at least compatibility layer in foreseeable future.

  2. It would be nice if This Week in Security was always in both Hackaday Columns and Security Hacks categories or it was always tagged with This Week in Security tag. This is neither so my RSS reader missed it.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.