A memory corruption vulnerability in the open-source libcue library can let attackers execute arbitrary code on Linux systems running the GNOME desktop environment.
libcue, a library designed for parsing cue sheet files, is integrated into the Tracker Miners file metadata indexer, which is included by default in the latest GNOME versions.
Cue sheets (or CUE files) are plain text files containing the layout of audio tracks on a CD, such as length, name of song, and musician, and are also typically paired with the FLAC audio file format.
GNOME is a widely used desktop environment across various Linux distributions such as Debian, Ubuntu, Fedora, Red Hat Enterprise, and SUSE Linux Enterprise.
Attackers can successfully exploit the flaw in question (CVE-2023-43641) to execute malicious code by taking advantage of Tracker Miners automatically indexing all downloaded files to update the search index on GNOME Linux devices.
“Due to the way that it’s used by tracker-miners, this vulnerability in libcue became a 1-click RCE. If you use GNOME, please update today,” said GitHub security researcher Kevin Backhouse, who found the bug.
In order to exploit this vulnerability, the targeted user must download a maliciously crafted .CUE file, which is then stored in the ~/Downloads folder.
The memory corruption flaw is triggered when the Tracker Miners metadata indexer parses the saved file automatically via the tracker-extract process.
“To make a long story short, that means that inadvertently clicking a malicious link is all it takes for an attacker to exploit CVE-2023-43641 and get code execution on your computer,” Backhouse said.
Backhouse demoed a proof-of-concept exploit and shared a video via Twitter earlier today. However, the release of the PoC will be postponed to provide time for all GNOME users to update and secure their systems.
While the PoC exploit needs to be tweaked to work properly for each Linux distro, the researcher said that he had already created exploits targeting the Ubuntu 23.04 and Fedora 38 platforms that work “very reliably.”
“In my testing, I have found that the PoC works very reliably when run on the correct distribution (and will trigger a SIGSEGV when run on the wrong distribution),” Backhouse said.
“I have not created PoCs for any other distributions, but I believe that all distributions that run GNOME are potentially exploitable.”
While successful exploitation of CVE-2023-43641 requires tricking a potential victim into downloading a .cue file, admins are advised to patch systems and mitigate the risks posed by this security flaw, as it provides code execution on devices running the latest releases of widely used Linux distros, including Debian, Fedora, and Ubuntu.
Backhouse has found other severe Linux security flaws in recent years, including a privilege escalation bug in the GNOME Display Manager (gdm) and an authentication bypass in the polkit auth system service installed by default on many modern Linux platforms.
In related news, proof-of-concept exploits have already surfaced for the Looney Tunables high-severity flaw in GNU C Library’s dynamic loader, tracked as CVE-2023-4911, allowing local attackers to gain root privileges on major Linux platforms.