A memory corruption vulnerability in the open-source libcue library can let attackers execute arbitrary code on Linux systems running the GNOME desktop environment.
libcue, a library designed for parsing cue sheet files, is integrated into the Tracker Miners file metadata indexer, which is included by default in the latest GNOME versions.
Cue sheets (or CUE files) are plain text files containing the layout of audio tracks on a CD, such as length, name of song, and musician, and are also typically paired with the FLAC audio file format.
GNOME is a widely used desktop environment across various Linux distributions such as Debian, Ubuntu, Fedora, Red Hat Enterprise, and SUSE Linux Enterprise.
Attackers can successfully exploit the flaw in question (CVE-2023-43641) to execute malicious code by taking advantage of Tracker Miners automatically indexing all downloaded files to update the search index on GNOME Linux devices.
"Due to the way that it's used by tracker-miners, this vulnerability in libcue became a 1-click RCE. If you use GNOME, please update today," said GitHub security researcher Kevin Backhouse, who found the bug.
In order to exploit this vulnerability, the targeted user must download a maliciously crafted .CUE file, which is then stored in the ~/Downloads folder.
The memory corruption flaw is triggered when the Tracker Miners metadata indexer parses the saved file automatically via the tracker-extract process.
"To make a long story short, that means that inadvertently clicking a malicious link is all it takes for an attacker to exploit CVE-2023-43641 and get code execution on your computer," Backhouse said.
Backhouse demoed a proof-of-concept exploit and shared a video via Twitter earlier today. However, the release of the PoC will be postponed to provide time for all GNOME users to update and secure their systems.
While the PoC exploit needs to be tweaked to work properly for each Linux distro, the researcher said that he had already created exploits targeting the Ubuntu 23.04 and Fedora 38 platforms that work "very reliably."
"In my testing, I have found that the PoC works very reliably when run on the correct distribution (and will trigger a SIGSEGV when run on the wrong distribution)," Backhouse said.
"I have not created PoCs for any other distributions, but I believe that all distributions that run GNOME are potentially exploitable."
While successful exploitation of CVE-2023-43641 requires tricking a potential victim into downloading a .cue file, admins are advised to patch systems and mitigate the risks posed by this security flaw, as it provides code execution on devices running the latest releases of widely used Linux distros, including Debian, Fedora, and Ubuntu.
Backhouse has found other severe Linux security flaws in recent years, including a privilege escalation bug in the GNOME Display Manager (gdm) and an authentication bypass in the polkit auth system service installed by default on many modern Linux platforms.
In related news, proof-of-concept exploits have already surfaced for the Looney Tunables high-severity flaw in GNU C Library's dynamic loader, tracked as CVE-2023-4911, allowing local attackers to gain root privileges on major Linux platforms.
Comments
Mike_Walsh - 7 months ago
I've used Linux exclusively for around a decade. I've never even heard of a .cue file, much less downloaded or actually seen one..... Mind you, Puppy is a very 'niche' distro, at best.....and on top of that, it runs a highly unusual desktop set-up. I doubt it'll give US very much trouble, though it's always good to at least be aware of this stuff.
GT500 - 7 months ago
Does this effect MATE as well (fork of GNOME 2), or only more modern GNOME desktop environments? Just because it's included by default in the latest GNOME versions, doesn't mean that someone didn't add support to MATE at some point too.
kzy909 - 7 months ago
hmmm,
#uname -a
Linux foo 6.5.5-200.fc38.x86_64 #1 SMP PREEMPT_DYNAMIC Sun Sep 24 15:52:44 UTC 2023 x86_64 GNU/Linux
looks like fedora 38....
#dnf provides libcue
Last metadata expiration check: 2:06:07 ago on Tue Oct 10 10:25:00 2023.
libcue-2.2.1-11.fc38.i686 : Cue sheet parser library
Repo : fedora
Matched from:
Provide : libcue = 2.2.1-11.fc38
So the vulnerable libcue is in the default fedora repo.
# firefox https://nvd.nist.gov/vuln/detail/CVE-2023-43641
libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access.
CNA: GitHub, Inc.Base Score: 8.8 HIGHVector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
And GITHUB (a fancy file sharing service) thinks its an 8.8 severity - is also informative. 'Tricking' you into downloaded could be as simple as
> git clone https://github.com/your.favorite.code.pile
Other file service services might also contain bad .cue files...
# systemctl list-units | grep tracker
#
does not find tracker-miner so not turned on by cinnamon/mate
# systemctl list-timers
Mon 2023-10-16 00:00:01 PDT 5 days left Mon 2023-10-09 00:00:01 PDT 1 day 12h ago plocate-updatedb.timer plocate-updatedb.service
Services that scan to world for things running as root often are vectors for badness. Could locate be tricked into doing something? Since libcue is in the default fedora repo,
Even though tracker-miner isn't actively scanning - I think you are potentially vulnerable until libcue.2.2.1 gets patched.
kzy909 - 6 months ago
dnf update patches libcue this AM:
libcue x86_64 2.2.1-13.fc38
Unfortunately https://nvd.nist.gov/vuln/detail/CVE-2023-43641 says:
" This issue is patched in version 2.3.0."
But if we look at:
https://koji.fedoraproject.org/koji/buildinfo?buildID=2304476
we find:
Changelog * Tue Oct 10 2023 Adam Williamson <awilliam@redhat.com> - 2.2.1-13
- Fix CVE-2023-43641 (Kevin Backhouse)
So props to the fedora devs at RedHat for backporting into current 2.2.1-13.
YMMV - or more precisely, Y *Distro* MMV
Be really interesting to see an article on how responsive/quick all the distros are at tracking and backporting CVEs.