A reminiscence corruption vulnerability within the open-source libcue library can let attackers execute arbitrary code on Linux methods working the GNOME desktop surroundings.
libcue, a library designed for parsing cue sheet information, is built-in into the Tracker Miners file metadata indexer, which is included by default within the newest GNOME variations.
Cue sheets (or CUE information) are plain textual content information containing the structure of audio tracks on a CD, akin to size, title of track, and musician, and are additionally sometimes paired with the FLAC audio file format.
GNOME is a broadly used desktop surroundings throughout numerous Linux distributions akin to Debian, Ubuntu, Fedora, Pink Hat Enterprise, and SUSE Linux Enterprise.
Attackers can efficiently exploit the flaw in query (CVE-2023-43641) to execute malicious code by profiting from Tracker Miners mechanically indexing all downloaded information to replace the search index on GNOME Linux units.
“Because of the manner that it is utilized by tracker-miners, this vulnerability in libcue turned a 1-click RCE. When you use GNOME, please replace at present,” mentioned GitHub safety researcher Kevin Backhouse, who discovered the bug.
With the intention to exploit this vulnerability, the focused consumer should obtain a maliciously crafted .CUE file, which is then saved within the ~/Downloads folder.
The reminiscence corruption flaw is triggered when the Tracker Miners metadata indexer parses the saved file mechanically by way of the tracker-extract course of.
“To make an extended story quick, that signifies that inadvertently clicking a malicious hyperlink is all it takes for an attacker to take advantage of CVE-2023-43641 and get code execution in your laptop,” Backhouse mentioned.
Backhouse demoed a proof-of-concept exploit and shared a video by way of Twitter earlier at present. Nonetheless, the discharge of the PoC will likely be postponed to supply time for all GNOME customers to replace and safe their methods.
Whereas the PoC exploit must be tweaked to work correctly for every Linux distro, the researcher mentioned that he had already created exploits focusing on the Ubuntu 23.04 and Fedora 38 platforms that work “very reliably.”
“In my testing, I’ve discovered that the PoC works very reliably when run on the right distribution (and can set off a SIGSEGV when run on the fallacious distribution),” Backhouse mentioned.
“I’ve not created PoCs for another distributions, however I imagine that each one distributions that run GNOME are doubtlessly exploitable.”
Whereas profitable exploitation of CVE-2023-43641 requires tricking a possible sufferer into downloading a .cue file, ​admins are suggested to patch methods and mitigate the dangers posed by this safety flaw, because it gives code execution on units working the most recent releases of broadly used Linux distros, together with Debian, Fedora, and Ubuntu.
Backhouse has discovered different extreme Linux safety flaws lately, together with a privilege escalation bug within the GNOME Show Supervisor (gdm) and an authentication bypass within the polkit auth system service put in by default on many fashionable Linux platforms.
In associated information, proof-of-concept exploits have already surfaced for the Looney Tunables high-severity flaw in GNU C Library’s dynamic loader, tracked as CVE-2023-4911, permitting native attackers to realize root privileges on main Linux platforms.
