CVE-2023-29491 is a vulnerability in the ncurses library prior to version 6.4 (released 2023-04-08) that affects setuid applications using ncurses for terminal handling. Ncurses relies on terminfo database files to determine terminal capabilities. This vulnerability occurs when a local user supplies malformed data in a terminfo database file located in their home directory ($HOME/.terminfo) or referenced through the TERMINFO or TERM environment variables. When a setuid application uses ncurses to process these files, the malformed data can trigger memory corruption, which is security-relevant and may lead to privilege escalation. Since setuid applications run with elevated privileges, exploiting this flaw could allow a local attacker to execute arbitrary code with higher privileges. The vulnerability requires local access and the ability to influence environment variables or place crafted terminfo files. No CVSS score has been assigned yet, and no exploits are publicly known. The flaw is significant because ncurses is widely used in Unix-like systems, and many setuid applications depend on it for terminal handling. The vulnerability highlights the risk of processing untrusted input in privileged contexts. The patch involves updating ncurses to version 6.4 or later, which corrects the memory corruption issue by properly validating terminfo data. Until patched, restricting user control over environment variables and terminfo files can reduce risk.

For European organizations, this vulnerability poses a significant risk primarily to Unix/Linux servers and workstations that run setuid applications linked against vulnerable ncurses versions. Successful exploitation could allow local attackers to escalate privileges, potentially gaining root or other elevated access. This could lead to unauthorized access to sensitive data, disruption of services, or further lateral movement within networks. Critical infrastructure, government, financial institutions, and enterprises relying on Linux-based systems for operations are particularly vulnerable. The impact is heightened in environments where multiple users have local access or where remote access is granted via SSH to user accounts. Since no remote exploitation vector is indicated, the threat is limited to local attackers but remains serious due to the privilege escalation potential. The absence of known exploits reduces immediate risk but does not eliminate it, especially as attackers may develop exploits over time.

1. Upgrade ncurses to version 6.4 (20230408) or later as soon as possible to apply the official fix. 2. Audit and restrict permissions on $HOME/.terminfo directories and files to prevent unauthorized modification. 3. Limit the ability of unprivileged users to influence TERMINFO and TERM environment variables in contexts where setuid applications run. 4. Review and harden setuid applications that use ncurses, ensuring they do not run with unnecessary privileges or in environments where user-controlled environment variables can be manipulated. 5. Employ mandatory access controls (e.g., SELinux, AppArmor) to restrict setuid application behavior and access to user environment variables and files. 6. Monitor logs for suspicious activity related to environment variable manipulation or terminfo file access. 7. Educate system administrators about the risks of environment variable injection in privileged contexts. 8. Consider isolating critical setuid applications in containers or sandboxes to limit the impact of potential exploitation.