Critical Unauthenticated RCE Flaw Impacts All GNU/Linux Systems (cybersecuritynews.com)
- Reference: 0175133363
- News link: https://it.slashdot.org/story/24/09/25/2150210/critical-unauthenticated-rce-flaw-impacts-all-gnulinux-systems
- Source link: https://cybersecuritynews.com/critical-unauthenticated-rce-flaw/
> A critical unauthenticated Remote Code Execution (RCE) [2]vulnerability has been discovered, [3]impacting all GNU/Linux systems . As per agreements with developers, the flaw, which has existed for over a decade, will be fully disclosed in less than two weeks. Despite the severity of the issue, no Common Vulnerabilities and Exposures (CVE) identifiers have been assigned yet, although experts suggest there should be at least three to six. Leading Linux distributors such as Canonical and RedHat have confirmed the flaw's severity, rating it 9.9 out of 10. This indicates the potential for catastrophic damage if exploited. However, despite this acknowledgment, no working fix is still available. Developers remain embroiled in debates over whether some aspects of the vulnerability impact security.
[1] https://slashdot.org/~jd
[2] https://threadreaderapp.com/thread/1838169889330135132.html
[3] https://cybersecuritynews.com/critical-unauthenticated-rce-flaw/
Re: (Score:2)
If you read the link attached to the underlined "vulnerability" word, and keep a very open & objective mind, you might think that posting was crafted by some 20-something who spends way too much time in their basement playing viddie games & searching for pr0n on the Interwebs.
Oh, please. (Score:4, Interesting)
The thread that the title comes from is from a Twitter user that later stated about the issue: "And YES: I LOVE hyping the sh1t out of this stuff because apparently sensationalism is the only language that forces these people to fix. "
As such, every single thing about the topic should be taken with a grain of salt. Starting with systems affected (it's not all GNU/Linux) and also CVSS score (I score it as a 6.3 instead of 9.9). Use your imagination to decide how much of what was posted is based on fact as opposed to fantasy.
For starters, only systems without an enabled firewall are exploitable. (Note: Ubuntu doesn't enable a firewall by default for reasons I cannot fathom).
Secondly, the attack requires the victim to take a specific implausible action for the attack to work.
There's really nothing to see here. Spending your time thinking about any other vulnerability or attack vector would be a much better use of your time.
Re: (Score:2)
By default Ubuntu has no services that listen on anything other than localhost. Not even ssh. A firewall would be pointless.
Re: Oh, please. (Score:2)
This is provably incorrect.
Re: (Score:2)
Please do. Tell me how a Linux install with nothing listening, not even ssh will be hacked remotely.
Re: Oh, please. (Score:2)
Its state actor level, but both RAM and monitor image can be remotely accessed.
Re: (Score:2)
kernel network/firewall code itself probably
Re: (Score:2)
Red Hat is similar, but it ships with firewalld on. One of the reasons I enable firewalling is that it provides a solid front-line defense. Some user ran something that opened a port? Still inaccessible due to the firewall in place. Or you want to allow SSH, but only from your internal subnet. At a previous job, I had a NAS running for a while on an external IP address, and after that time, the NAS wound up forensically examined to see if it was compromised, as a long term test. It was never breached,
Re: (Score:2)
So you have _actual_ information? (Not asking you to prematurely disclose)
One small question though: By "firewall enabled" do you mean it runs (module loaded or code compiled in) or that it has actual rules in there?
But what you describe is about what I expected from the grande, somewhat nonsensical announcement.
I especially like "the attack requires the victim to take a specific implausible action for the attack to work". There are tons of attacks that becomes possible when the victim is willing to do that
Re: Oh, please. (Score:2)
Yes, I've read the vulnerability report and have reproduced it. You'll get the details when the agreed upon disclose date arrives.
As for the firewall, just blocking incoming connections it sufficient for protection. On Ubuntu, this should do it: sudo ufw enable
Re: (Score:2)
> Secondly, the attack requires the victim to take a specific implausible action for the attack to work.
There are a 100-200M Linux machines in the world. Even if a particular specific action is implausible, tens of thousands of them are going to be vulnerable.
Software engineering at scale means realizing that with a big enough user base, every one of the corner cases that one could normally dismiss is going to actually be realized. Which is not to say that you have to make all of the work, but at least they s
Systemd component? (Score:3)
> only got patronized because the devs just can't accept that their code is crap
Systemd component? It sounds like Systemd component.
Re: (Score:2)
That would be nice. Because in that case my Linux servers are not in the "all" systems that are affected.
Sounds like FUD (Score:3)
Grand claims, no details and "Developers remain embroiled in debates over whether some aspects of the vulnerability impact security". That does sound like somebody wants their 15 minutes of fame, but not like a real problem.
Pics ... or it didn't happen (Score:1)
... of the CVSS score ...
Did Ken Thompson strike again? (Score:2)
In [1]Reflections on Trusting Trust [slashdot.org], Ken Thompson describes a hack which worked by modifying the C compiler to do two things
1) Insert itself into the C compiler whenever the C compiler is compiled
2) Modify "login" to accept a password of his own choosing (presumably for any account)
Thus, he need merely substitute his C-compiler-with-exploit for the real one once, and the exploit self-propagates (as long as the C compiler and login don't change enough to not be recognized by the exploit code anyway).
Somthing wh
[1] https://it.slashdot.org/story/24/09/25/2150210/Thompson_1984_ReflectionsonTrustingTrust
Re: Done (Score:2)
Are you ok? Do you need more meds?
An RCE affecting ALL Linux systems? (Score:3)
This sounds strange - how can something affect ALL systems? The only way to have an RCE is when listening on the network. And the network is usually kinda protected by the firewall (of which there are several, so it can't be that).
So this would have to be in the network stack? And not even in the NICs driver, but in the core kernel one? And that seems rather strange after so many years.
Re: (Score:2)
There's a rumour that it's in CUPS.
Re: (Score:2)
> There's a rumour that it's in CUPS.
That one I threw out years ago. PoS.
Re: (Score:2)
> There's a rumour that it's in CUPS.
If so, that probably also means it also affects every version of macOS for 2.5 decades.