GNOME users at risk of RCE attack (CVE-2023-43641)
If you’re running GNOME on you Linux system(s), you are probably open to remote code execution attacks via a booby-trapped file, thanks to a memory corruption vulnerability (CVE-2023-43641) in the libcue library.
Discovered by GitHub security researcher Kevin Backhouse, CVE-2023-43641 affects the libcue library, which is used for parsing cue sheets (files) that contain the layout of tracks on a CD.
Libcue is also used by an application called tracker-miners, which indexes files in users’ home directory. The app is included in GNOME – the default desktop environment of many open-source operating systems (e.g., Debian, Fedora, Ubuntu, Red Hat Enterprise Linux, SUSE, Oracle Solaris).
“The index is automatically updated when you add or modify a file in certain subdirectories of your home directory, in particular including ~/Downloads. To make a long story short, that means that inadvertently clicking a malicious link is all it takes for an attacker to exploit CVE-2023-43641 and get code execution on your computer,” Backhouse shared.
He demonstrated the attack with a proof-of-concept exploit delivered via a .cue file, but also pointed that cue sheets are just one of many file formats supported by tracker-miners. “For example, [tracker-miners] also includes scanners for HTML, JPEG, and PDF.”
No PoC available (for now), but patch quickly!
Backhouse has delayed the publication of the PoC, but has released a file users can use to test whether their system is vulnerable. If it is, the file will trigger a benign crash, he noted.
Backhouse successfuly executed the PoC on Ubuntu 23.04 and Fedora 38, and explained that it must be be adjusted to work on different distributions. “I have not created PoCs for any other distributions, but I believe that all distributions that run GNOME are potentially exploitable,” he concluded.
Admins are advised to implement fixes as they are pushed out by maintainers of affected Linux and Unix-like operating systems.