USB stick

Linux users running KDE Plasma desktop environments need to apply patches to fix a bug that can lead to malicious code execution every time a user mounts a USB thumb drive on his computer.

The KDE Plasma team has released versions 5.8.9 and 5.12.0 to address the issue, tracked as CVE-2018-6791 and categorized as an "arbitrary command execution" vulnerability.

According to a description of the bug, USB thumb drives that contain the characters `` or $() in the volume label will execute the text contained within these characters as shell commands.

This means that an attacker can place malicious code in a USB thumb drive's name and have it automatically execute on a victim's computer when the victim mounts the USB via KDE to view its contents.

The only condition is that the victim must run a KDE desktop environment and that the USB thumb drive must be VFAT formatted.

For example, inserting a VFAT USB thumb drive with the volume label $(touch b) or `touch b` will create a file named "b" in the user's home directory.

The bug has been described "hilarious" by most security researchers because such issues have been fixed in the late 90s and early 2000s by applying proper input sanitization techniques.

All KDE Plasma versions before v5.12.0 are considered vulnerable. Users who cannot update are advised to mount new USB devices via other methods instead of the KDE Device Notifier app (handles pluggable devices for KDE environment).

Related Articles:

Multiple OS Vendors Release Security Patches After Misinterpreting Intel Docs

PoC Code Published for Triggering an Instant BSOD on All Recent Windows Versions

Microsoft Announces Custom Chip and Linux Distro to Secure IoT Devices

OpenSnitch Is a Host-Based Firewall for Linux Desktops

Linux: Beep Command Can Be Used to Probe for the Presence of Sensitive Files