GNOME Libcue Flaw is a Risk to Linux Systems
Security researchers say a flaw in a relatively obscure component of the popular GNOME desktop environment for Linux could allow bad actors to gain control of the system if exploited.
The remote code execution (RCE) vulnerability is in libcue, a library that has been around since 2003 and is used for parsing cue sheets, which is a metadata format for describing the layout of tracks on a CD. It’s a small but important part of the overall digital infrastructure, according to Kevin Backhouse, the security researcher with GitHub who found the bug.
Backhouse wrote in a blog post that he audited libcue for security vulnerabilities because it’s used by tracker-miners, an application that’s included in GNOME and is used to index files in home directories to make them easier to search.
However, an attacker could exploit the flaw–tracked as CVE-2023-43641–by luring the user by clicking on a malicious link, enabling them to quickly take over the system.
“Sometimes a vulnerability in a seemingly innocuous library can have a large impact,” Backhouse wrote. “Due to the way that it’s used by tracker-miners, this vulnerability in libcue became a 1-click RCE.”
GNOME is Widely Used
GNOME is used in more than a dozen Linux distributions, including such popular ones as Fedora and Ubuntu, so the flaw represents a threat to a wide range of users and organizations.
The vulnerability is in libcue, but Backhouse focused on tracker-miners because of the way it automatically scans files to the downloads directory, which he said “magnifies the impact of this bug” when it updates the search index on GNOME devices.
If a user mistakenly downloads a malicious .cue file that is stored in the downloads folder, the malicious file is automatically saved by one of two tracker-miners processes, called tracker-extract.
“To make a long story short, that means that inadvertently clicking a malicious link is all it takes for an attacker to exploit CVE-2023-43641 and get code execution on your computer,” Backhouse wrote.
Tracker-Miners Two-Step Process
He also noted that the “two-process architecture of tracker-miners is helpful for exploitation.”
“Firstly, it’s much easier to predict the memory layout in a freshly started process than in one that’s already been running for hours, so the fact that tracker-extract is only started on-demand is very convenient,” he wrote. “Even better, tracker-extract always creates a fresh thread to scan the downloaded file.”
Backhouse wrote that the vulnerability would not trigger if the tracker-miners isn’t running and detailed how users can check to see if it is. That said, “as far as I know, tracker-miners is quite tightly integrated into GNOME, so there’s no easy way to switch it off,” he wrote. “There’s certainly nothing like a simple checkbox in the settings dialog.”
In his blog, Backhouse included a video showing how a bad actor can exploit the flaw to launch a tool–in this case, the calculator–on a Linux system to get the user to launch the malicious code.
While he released technical details of the flaw, he said he is holding onto the proof-of-concept exploit until users get the chance to update their systems with the patch.
Start Protecting Yourselves Now
Mayuresh Dani, manager of threat research at cybersecurity firm Qualys, said organizations need to start taking steps to address the threat.
“This vulnerability is exploited via malicious .cue file, which really is a text file,” Dani wrote in an email to Security Boulevard. “Businesses normally block extensions such as .elf, .so when it comes to email or local execution. Additionally, the attack surface widens when it is processed by tracker-miners, an application that’s included with GNOME.”
He wrote that “untuned” Linux endpoint detection and response (EDR) and antivirus tools that look at behaviors of applications and malicious files might miss the GNOME libcue flaw because exploitation with these indicators of compromise (IOCs) is not well-known.
“Organizations should start auditing, deny-listing extensions such as .cue,” he wrote. “Uninstalling tracker-miners on systems where not necessary will also help to harden against this vulnerability.”