Linux users running KDE Plasma desktop environments need to apply patches to fix a bug that can lead to malicious code execution every time a user mounts a USB thumb drive on his computer.
The KDE Plasma team has released versions 5.8.9 and 5.12.0 to address the issue, tracked as CVE-2018-6791 and categorized as an "arbitrary command execution" vulnerability.
According to a description of the bug, USB thumb drives that contain the characters `` or $() in the volume label will execute the text contained within these characters as shell commands.
This means that an attacker can place malicious code in a USB thumb drive's name and have it automatically execute on a victim's computer when the victim mounts the USB via KDE to view its contents.
The only condition is that the victim must run a KDE desktop environment and that the USB thumb drive must be VFAT formatted.
For example, inserting a VFAT USB thumb drive with the volume label $(touch b) or `touch b` will create a file named "b" in the user's home directory.
The bug has been described "hilarious" by most security researchers because such issues have been fixed in the late 90s and early 2000s by applying proper input sanitization techniques.
All KDE Plasma versions before v5.12.0 are considered vulnerable. Users who cannot update are advised to mount new USB devices via other methods instead of the KDE Device Notifier app (handles pluggable devices for KDE environment).
Wow, that sounds pretty horrible. This is why I still mount things the old way, with `mount`.
— Mike Gualtieri (@mlgualtieri) February 11, 2018
Comments
TheDcoder - 4 years ago
That is a pretty easy to exploit bug... I wonder why it has not come into light until now?
pcpunk - 4 years ago
That article don't even make sense? This would mean an attacker would need physical access to the computer and insert a USB with a certain name to it?
campuscodi - 4 years ago
Or drop one on the ground and have a target pick it up. Or send USB sticks via postal mail as contest prizes. There are many ways to deploy USB thumb drives to targets without the attacker being present in person.
NickAu - 4 years ago
Quote
" Or drop one on the ground and have a target pick it up. Or send USB sticks via postal mail as contest prizes. There are many ways to deploy USB thumb drives to targets without the attacker being present in person."
Wow the potential victims to this must be at least 10 world wide.
This would have to be a targeted attack and even then the chances of success are minimal.
_LC_ - 4 years ago
If I remember it correctly, they did make such tests. They dropped 'prepared' USB-sticks on parking lots of security-relevant firms. About 50% couldn't resist the urge to plug it in and see what was on it...
Even if it was only 5%, you could get access to every big company that way (unless they take security measures and limit USB, which very few do).
campuscodi - 4 years ago
Don't be condescending Nick. If people were that smart as you think they are, then we wouldn't have botnets with millions of victims. People can't stop opening random files they get in their email. Having them plug a USB thumb drive in their PC is actually easy.
Furthermore, having code run just because it's in a drive's label is ridiculous for the year 2018. You learn to sanitize user input fields in basic programming classes. This vulnerability is ridiculous and the amount of criticism I got here and on social media just for pointing this out is not justified if you really look at the facts. It's a dumb bug that's incredibly easy to exploit. The Linux fanboys need to admit their OS is not some indestructible infinity stone.
JohnnyJammer - 4 years ago
It only takes one user, one attempt at plugging a USB drive in and bingo you are off and racing.
Remember StuXnet? We all know how that panned out!