Potential Privilege Escalation via CVE-2023-4911

Last updated 4 months ago on 2025-02-04

Created 2 years ago on 2023-10-05

About

This rule detects potential privilege escalation attempts through Looney Tunables (CVE-2023-4911). Looney Tunables is a buffer overflow vulnerability in GNU C Library's dynamic loader's processing of the GLIBC_TUNABLES environment variable.

Tags

Domain: EndpointOS: LinuxUse Case: Threat DetectionTactic: Privilege EscalationUse Case: VulnerabilityData Source: Elastic DefendLanguage: eql

Severity

high

Risk Score

MITRE ATT&CK™

Privilege Escalation (TA0004)(opens in a new tab or window)

↳ Exploitation for Privilege Escalation (T1068)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Event Correlation Rule
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: logs-endpoint.events.process*
Related Integrations: endpoint(opens in a new tab or window)
Query

sequence by host.id, process.parent.entity_id, process.executable with maxspan=5s
 [process where host.os.type == "linux" and event.type == "start" and event.action == "exec" and
  process.env_vars : "*GLIBC_TUNABLES=glibc.*=glibc.*=*"] with runs=5

Install detection rules in Elastic Security

Detect Potential Privilege Escalation via CVE-2023-4911 in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).