Security
Headlines
HeadlinesLatestCVEs

Headline

One-Click 'Gnome' Exploit Is a Supply Chain Risk for Linux OSes

An overlooked library contains a vulnerability that could enable full remote takeover simply by clicking a link.

DARKReading
#vulnerability#web#mac#ubuntu#linux#git

Researchers have uncovered a vulnerability in a library within the GNOME desktop environment for Linux systems. If embedded in a malicious link, it could enable attackers to perform machine takeover in an instant.

GNOME — short for GNU Object Model Environment — is an open source desktop environment implemented by popular Linux distributions like Ubuntu and Fedora.

According to a new blog from the GitHub Security Lab, within one of GNOME’s default applications is a dependency containing a “High” 8.8 out of 10-rated, out-of-bounds array access vulnerability. Because of how the application works, all an attacker would need is one click from a victim in order to execute arbitrary code on a GNOME OS.

It “underscores a critical business risk,” says Igor Volovich, VP of compliance strategy at Qmulos. “For businesses, this is a stark reminder that a single vulnerability, even in seemingly benign software components, can be leveraged for wide-scale compromise, especially when these components are interconnected within larger systems or platforms.”

A Bug in a Dependency, App, Environment, or OS

The new vulnerability — CVE-2023-43641 — isn’t with Linux or GNOME, at least directly.

The issue, rather, lies in “libcue,” an obscure library with just nine forks on GitHub. libcue is used to parse “cue sheets,” a metadata format for describing the layout of tracks on a CD or DVD.

Among other projects, libcue is used by “tracker-miners,” a default application in GNOME used for indexing files in the home directory. Of note in this case is that tracker-miners automatically updates when files are added or modified in certain subdirectories, for example the “~/Downloads” folder.

GitHub’s researchers took advantage of this fact when designing an exploit for CVE-2023-43641. They wrote a malicious Web page which, when visited, triggers the download of a cue sheet (.cue) file. The file was saved to ~/Downloads, and tracker-miners automatically scanned it using libcue, enabling their code to run (in this case, simply opening a calculator app).

The researchers have successfully tested exploits for the most recent versions of Ubuntu and Fedora. They have also publicly released a harmless, six-line proof-of-concept.

Implications for Linux Users

The open source nature of Linux, its applications, libraries, and so on, are both a weakness and a strength where enterprise security is concerned.

“Its open-source nature invites vast community contributions, fostering innovation but also expanding its threat surface,” Volovich points out. On one hand, “preparedness lies in the robustness of the Linux community, which is often quick to patch and remediate identified vulnerabilities. However, the sheer scale of Linux deployments and varied custom configurations means that vulnerabilities can persist unnoticed.”

That one tiny syntax handling error in one minor component of one easily missed application can be shown to cause such significant consequences means that Linux users cannot be content with simply patching as needed, Volovich thinks. “While patching remains an essential reactive measure in the cybersecurity arsenal, a singular focus on it creates a game of perpetual catch-up. The continuously evolving threat landscape necessitates a shift in mindset.”

“Rather than isolating specific vulnerabilities, it’s more effective to approach security from a controls perspective. By doing so, organizations can identify and address potential weak spots before they’re exploited,” he says, pointing to frameworks and standards like NIST and ISO. “When enterprises embed these standards into their operations, they don’t merely respond to threats; they anticipate them.”

Related news

Ubuntu Security Notice USN-6423-2

Ubuntu Security Notice 6423-2 - USN-6423-1 fixed a vulnerability in CUE. This update provides the corresponding updates for Ubuntu 23.10. It was discovered that CUE incorrectly handled certain files. An attacker could possibly use this issue to expose sensitive information or execute arbitrary code.

Debian Security Advisory 5524-1

Debian Linux Security Advisory 5524-1 - Kevin Backhouse discovered an out-of-bounds array access in Libcue, a library for parsing CD metadata, which could result in the execution of arbitrary code.

Ubuntu Security Notice USN-6423-1

Ubuntu Security Notice 6423-1 - It was discovered that CUE incorrectly handled certain files. An attacker could possibly use this issue to expose sensitive information or execute arbitrary code.

Gentoo Linux Security Advisory 202310-10

Gentoo Linux Security Advisory 202310-10 - A vulnerability has been discovered in libcue which could allow for arbitrary code execution. Versions greater than or equal to 2.2.1-r1 are affected.

libcue Library Flaw Opens GNOME Linux Systems Vulnerable to RCE Attacks

A new security flaw has been disclosed in the libcue library impacting GNOME Linux systems that could be exploited to achieve remote code execution (RCE) on affected hosts. Tracked as CVE-2023-43641 (CVSS score: 8.8), the issue is described as a case of memory corruption in libcue, a library designed for parsing cue sheet files. It impacts versions 2.2.1 and prior. libcue is incorporated into

CVE-2023-43641: Coordinated Disclosure: 1-Click RCE on GNOME (CVE-2023-43641)

libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution.

DARKReading: Latest News

Cross-Site Scripting Is 2024's Most Dangerous Software Weakness