A memory corruption vulnerability in the open source libcue library may allow attackers to execute arbitrary code on Linux systems running the GNOME desktop environment.
libcue, a library designed for parsing cheatsheet files, is built into the Tracker Miners file metadata indexer, which is included by default in the latest versions of GNOME.
Cue sheets (or CUE files) are plain text files that contain the layout of the audio tracks on a CD, such as duration, song name, and musician, and are also often combined with the file format FLAC audio.
GNOME is a desktop environment widely used on various Linux distributions, such as Debian, Ubuntu, Fedora, Red Hat Enterprise, and SUSE Linux Enterprise.
Attackers can successfully exploit the flaw in question (CVE-2023-43641) to execute malicious code by taking advantage of Tracker Miners automatically indexing all downloaded files to update the search index on GNOME Linux devices.
“Due to the way it is used by crawler-miners, this vulnerability in libcue became a 1-click RCE. If you use GNOME, update today,” said GitHub security researcher Kevin Backhouse, who found the bug.
To exploit this vulnerability, the targeted user must download a maliciously crafted .CUE file, which is then stored in the ~/Downloads folder.
The memory corruption flaw is triggered when the Tracker Miners metadata indexer analyzes the file automatically saved by the tracker mining process.
“To summarize, that means that inadvertently clicking on a malicious link is all it takes for an attacker to exploit CVE-2023-43641 and execute code on your computer,” Backhouse said.
Backhouse demonstrated a proof-of-concept exploit and shared a video via Twitter earlier today. However, the PoC release will be postponed to give all GNOME users time to update and protect their systems.
While the PoC exploit needs to be modified to work correctly on each Linux distribution, the researcher said he had already created exploits targeting the Ubuntu 23.04 and Fedora 38 platforms that work “very reliably.”
“In my testing, I found that the PoC works very reliably when running on the correct distribution (and will trigger a SIGSEGV when running on the wrong distribution),” Backhouse said.
“I have not created PoC for any other distribution, but I believe that all distributions running GNOME are potentially exploitable.”
While successful exploitation of CVE-2023-43641 requires tricking a potential victim into downloading a .cue file, administrators are advised to patch systems and mitigate the risks posed by this security flaw by providing code execution. on devices running the latest versions of widely used Linux Distributions, including Debian, Fedora and Ubuntu.
Backhouse has found other serious Linux security flaws in recent years, including a privilege escalation bug in GNOME Display Manager (gdm) and an authentication bypass in the polkit authentication system service installed by default on many Linux platforms. modern.
In related news, proof-of-concept exploits have already emerged for Looney Tunables’ high-severity flaw in the GNU C library dynamic loader, tracked as CVE-2023-4911, allowing local attackers to gain root privileges on major Linux platforms.