A critical unauthenticated Remote Code Execution (RCE) vulnerability has been discovered, impacting all GNU/Linux systems.
As per agreements with developers, the flaw, which has existed for over a decade, will be fully disclosed in less than two weeks.
Despite the severity of the issue, no Common Vulnerabilities and Exposures (CVE) identifiers have been assigned yet, although experts suggest there should be at least three to six.
Severity Confirmed by Major Distributors
Leading Linux distributors such as Canonical and RedHat have confirmed the flaw’s severity, rating it 9.9 out of 10. This indicates the potential for catastrophic damage if exploited.
However, despite this acknowledgment, no working fix is still available. Developers remain embroiled in debates over whether some aspects of the vulnerability impact security.
Download Free Incident Response Plan Template for Your Security Team – Free Download
Frustrations and Challenges in Disclosure
According to the Thread Reader, the researcher who uncovered this flaw has expressed deep frustration over handling the disclosure process.
Having dedicated three weeks of sabbatical to this effort, they report being met with resistance and patronization from developers reluctant to accept flaws in their code.
The researcher notes that progress has been slow despite providing multiple proofs of concept (PoCs) systematically disproving developers’ assumptions.
This sentiment underscores the critical need for responsible vulnerability handling. The unfolding situation serves as a stark example of how not to handle security disclosures.
The researcher acknowledges developers’ challenges but emphasizes promptly addressing vulnerabilities. They also commend Canonical for their efforts in mediating and assisting from the beginning.
As full disclosure approaches, swift action becomes increasingly urgent. The Linux community and its users worldwide await effective solutions to safeguard their systems against this significant threat.
Are You From SOC/DFIR Teams? - Try Advanced Malware and Phishing Analysis With ANY.RUN - 14-day free trial