Today, CISA ordered U.S. federal agencies to secure their systems against an actively exploited vulnerability that lets attackers gain root privileges on many major Linux distributions. Dubbed 'Looney Tunables' by Qualys' Threat Research Unit and tracked as CVE-2023-4911, this security vulnerability is due to a buffer overflow weakness in the GNU C Library's ld. The security flaw impacts systems running the latest releases of widely used Linux platforms, including Fedora, Ubuntu, and Debian in their default configurations. Administrators are urged to patch their systems as soon as possible, seeing that the vulnerability is now actively exploited and several proof-of-concept exploits have been released online since its disclosure in early October. "With the capability to provide full root access on popular platforms like Fedora, Ubuntu, and Debian, it's imperative for system administrators to act swiftly," Qualys' Saeed Abbasi warned. CISA also added the actively exploited Linux flaw to its Known Exploited Vulnerabilities Catalog today, including it in its list of "Frequent attack vectors for malicious cyber actors" and posing "Significant risks to the federal enterprise." Following its inclusion in CISA's KEV list, U.S. Federal Civilian Executive Branch Agencies must patch Linux devices on their networks by December 12, as mandated by a binding operational directive issued one year ago. Although the BOD 22-01 primarily targets U.S. federal agencies, CISA also advised all organizations to prioritize patching the Looney Tunables security flaw immediately. While CISA didn't attribute the ongoing Looney Tunables exploitation, security researchers with cloud security company Aqua Nautilus revealed two weeks ago that Kinsing malware operators are using the flaw in attacks targeting cloud environments. The attacks start with exploiting a known vulnerability within the PHP testing framework 'PHPUnit. ' This initial breach allows them to establish a code execution foothold, followed by leveraging the 'Looney Tunables' issue to escalate their privileges. After gaining root access to compromised Linux devices, threat actors install a JavaScript web shell for backdoor access. The Kinsing attackers' ultimate goal is to steal cloud service provider credentials, aiming for access to AWS instance identity data. Kinsing is known for breaching and deploying crypto mining software cloud-based systems, including Kubernetes, Docker APIs, Redis, and Jenkins. Microsoft has also recently observed the group targeting Kubernetes clusters via misconfigured PostgreSQL containers, while TrendMicro spotted them exploiting the critical CVE-2023-46604 Apache ActiveMQ bug to compromise Linux systems. Exploits released for Linux flaw giving root on major distros. New 'Looney Tunables' Linux bug gives root on major distros. Hackers exploit Looney Tunables Linux bug, steal cloud creds. Kinsing malware exploits Apache ActiveMQ RCE to plant rootkits. CISA warns of actively exploited Windows, Sophos, and Oracle bugs.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 30 Nov 2023 23:19:27 +0000