CISA orders federal agencies to patch Looney Tunables Linux bug

Today, CISA ordered U.S. federal agencies to secure their systems against an actively exploited vulnerability that lets attackers gain root privileges on many major Linux distributions.

Dubbed 'Looney Tunables' by Qualys' Threat Research Unit (who discovered the bug) and tracked as CVE-2023-4911, this security vulnerability is due to a buffer overflow weakness in the GNU C Library's ld.so dynamic loader.

The security flaw impacts systems running the latest releases of widely used Linux platforms, including Fedora, Ubuntu, and Debian in their default configurations.

Administrators are urged to patch their systems as soon as possible, seeing that the vulnerability is now actively exploited and several proof-of-concept (PoC) exploits have been released online since its disclosure in early October.

"With the capability to provide full root access on popular platforms like Fedora, Ubuntu, and Debian, it's imperative for system administrators to act swiftly," Qualys' Saeed Abbasi warned.

CISA also added the actively exploited Linux flaw to its Known Exploited Vulnerabilities Catalog today, including it in its list of "frequent attack vectors for malicious cyber actors" and posing "significant risks to the federal enterprise."

Following its inclusion in CISA's KEV list, U.S. Federal Civilian Executive Branch Agencies (FCEB) must patch Linux devices on their networks by December 12, as mandated by a binding operational directive (BOD 22-01) issued one year ago.

Although the BOD 22-01 primarily targets U.S. federal agencies, CISA also advised all organizations (including private companies) to prioritize patching the Looney Tunables security flaw immediately.

Exploited in Kinsing malware attacks

While CISA didn't attribute the ongoing Looney Tunables exploitation, security researchers with cloud security company Aqua Nautilus revealed two weeks ago that Kinsing malware operators are using the flaw in attacks targeting cloud environments.

The attacks start with exploiting a known vulnerability within the PHP testing framework 'PHPUnit.' This initial breach allows them to establish a code execution foothold, followed by leveraging the 'Looney Tunables' issue to escalate their privileges.

After gaining root access to compromised Linux devices, threat actors install a JavaScript web shell for backdoor access. This shell allows them to execute commands, manage files, and conduct network and server reconnaissance.

The Kinsing attackers' ultimate goal is to steal cloud service provider (CSP) credentials, aiming for access to AWS instance identity data.

Kinsing is known for breaching and deploying crypto mining software cloud-based systems, including Kubernetes, Docker APIs, Redis, and Jenkins.

Microsoft has also recently observed the group targeting Kubernetes clusters via misconfigured PostgreSQL containers, while TrendMicro spotted them exploiting the critical CVE-2023-46604 Apache ActiveMQ bug to compromise Linux systems.