Decades ago, Linux users used to brag about how secure the Linux OS was, and many of them continue that false narrative even today.
How anyone can interpret the term open-source as meaning secure is beyond me. That is akin to saying that ‘leaving your front door open on your home makes it more secure than closing that front door and locking it’.
Fact is, Linux is the least secure modern Desktop/laptop OS around, and Linux servers are Hackers first choice.
Vulnerabilities & Flaws in Linux
Between the rapid release of open source software, and modern OSes preloaded with packages, enterprises are vulnerable to attacks they aren’t even aware of.
Most enterprises have gotten very mature at network and perimeter security, but are still juvenile in their understanding and workflow around open source provenance and software supply chain security. Hackers have shifted their attention towards not only the security of individual open source projects themselves, but the gaps between software artifacts: their transitive dependencies and the build systems they touch.
We need to fix this, and the way to do so is arguably not at the individual project level but rather at the level of the distribution.
“Basically open source got much more popular, and the front door got harder to break into so attackers are targeting the back door,” said Dan Lorenc, CEO and cofounder at Chainguard, in an interview. Bad actors, in other words, needn’t target your code. They can attack one of the dependencies you didn’t even know you had.
Most Linux Distros only have one or two main developers, and they are usually volunteering their time. They are open targets for any Hacker wanting to hack their Distro.
Those kids are not hackers, and they did it to one of the most popular Linux desktop/laptop OSes, Linux Mint. Still, Clement Lefebvre falsely claims his Distro is secure.
Major players like Red Hat, Fedora, Ubuntu, and Debian deal with the security issues everyday, but can’t even slow the attacks down.
A new Linux security vulnerability dubbed Looney Tunables has been discovered in the GNU C library’s ld.so dynamic loader that, if successfully exploited, could lead to a local privilege escalation and allow a threat actor to gain root privileges.
Tracked as CVE-2023-4911 (CVSS score: 7.8), the issue is a buffer overflow that resides in the dynamic loader’s processing of the GLIBC_TUNABLES environment variable. Cybersecurity firm Qualys, which disclosed details of the bug, said it was introduced as part of a code commit made in April 2021.
The GNU C library, also called glibc, is a core library in Linux-based systems that offers foundational features such as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, and exit.
NOTE: this is what I have noticed over the years about Linux – “new Linux security vulnerability” has been found in October of 2023, but when you read closer it goes on to say something like this – ‘the flaw was introduced in April 2021’.
Some of these vulnerabilities & flaws have gone on for 10 years and more, but get reported as being new. Let me rephrase an earlier point—from “but can’t even slow the attacks down” to – they ‘can’t even slow KNOWN vulnerabilities & flaws down.’ Then, actual new ones also keep showing up.
Looney Tunables is the latest addition to a growing list of privilege escalation flaws that have been discovered in Linux in recent years, counting CVE-2021-3156 (Baron Samedit), CVE-2021-3560, CVE-2021-33909 (Sequoia), and CVE-2021-4034 (PwnKit), that could be weaponized to obtain elevated permissions.
1) The GNU C library, also called glibc, is a core library in Linux-based systems that offers foundational features such as open, read, write, malloc, printf, getaddrinfo, dlopen, pthread_create, crypt, login, and exit.
2) The GNU C Library, commonly known as glibc, is a wrapper around the system calls of the Linux kernel for application use.
Open-source is not about security…simple as that. This Looney Tunables vulnerability has been around since “April 2021” so it is basically built into the Linux Kernel—intentionally or not.
Alpine Linux, ‘which uses musl libc, is not affected’ by the Looney Tunables vulnerability, but other minor (untested as of now) Distros might, e.g., ‘Arch Linux uses the GNU C Library (glibc) as the C standard library; it is a dependency of the base meta package.’