Linux users running KDE Plasma desktop environments need to apply patches to fix a bug that can lead to malicious code execution every time a user mounts a USB thumb drive on his computer.
The KDE Plasma team has released versions 5.8.9 and 5.12.0 to address the issue, tracked as CVE-2018-6791 and categorized as an "arbitrary command execution" vulnerability.
According to a description of the bug, USB thumb drives that contain the characters `` or $() in the volume label will execute the text contained within these characters as shell commands.
This means that an attacker can place malicious code in a USB thumb drive's name and have it automatically execute on a victim's computer when the victim mounts the USB via KDE to view its contents.
The only condition is that the victim must run a KDE desktop environment and that the USB thumb drive must be VFAT formatted.
For example, inserting a VFAT USB thumb drive with the volume label $(touch b) or `touch b` will create a file named "b" in the user's home directory.
The bug has been described "hilarious" by most security researchers because such issues have been fixed in the late 90s and early 2000s by applying proper input sanitization techniques.
All KDE Plasma versions before v5.12.0 are considered vulnerable. Users who cannot update are advised to mount new USB devices via other methods instead of the KDE Device Notifier app (handles pluggable devices for KDE environment).
Wow, that sounds pretty horrible. This is why I still mount things the old way, with `mount`.— Mike Gualtieri (@mlgualtieri) February 11, 2018