Several big-name Linux and BSD operating systems are vulnerable to an exploit that gives untrusted users powerful root privileges. The critical flaw in the X.org server—the open-source implementation of the X11 system that helps manage graphics displays—affects OpenBSD, widely considered to be among the most secure OSes. It also impacts some versions of the Red Hat, Ubuntu, Debian, and CentOS distributions of Linux.

An advisory X.org developers published Thursday disclosed the 23-month-old bug that, depending on how OS developers configure it, lets hackers or untrusted users elevate very limited system rights to unfettered root. The vulnerability, which is active when OSes run X.org in privileged (setuid) mode, allows files to be overwritten using the -logfile and -modulepath parameters. It also makes it trivial for low-privilege users to escalate system rights. A variety of nuances are leading to widely divergent assessments of the bug's severity.

“Depending on whom you talk to, the reported severity will vary greatly,” Louis Dion-Marcil, a security researcher at GoSecure, told Ars. “I think most people will tell you it is very severe, and I would agree with them. The bug allows you to write arbitrary data to arbitrary files, which might seem trivial and not that dangerous, but it effectively allows regular, unprivileged users to elevate their privileges to the one of complete administrator of the system.”

Got root

As Matthew Hickey, cofounder of security firm Hacker House, demonstrated Thursday, CVE-2018-14665, as the bug is indexed, can be triggered from a remote SSH session on what at the time was a fully patched OpenBSD machine. While the attacker need not use a local console, the exploit does require an an already-created account on the vulnerable OpenBSD system. In Hickey’s example, the exploit elevates the account “developer” to “root” on a default version of OpenBSD 6.4-stable.

OpenBSD #0day Xorg LPE via CVE-2018-14665 can be triggered from a remote SSH session, does not need to be on a local console. An attacker can literally take over impacted systems with 3 commands or less. exploit https://t.co/3FqgJPeCvO 🙄 pic.twitter.com/8HCBXwBj5M — Hacker Fantastic (@hackerfantastic) October 25, 2018

The three required commands, Hickey said, are:

cd /etc; Xorg -fp "Root::16431:0:99999:7:::" -logfile shadow :1;su

“Overwrite shadow (or any) file on most Linux, get root privileges,” the researcher added. “*BSD and any other Xorg desktop also affected.”

Security researcher Brendan Coles confirmed that the exploit works on CentOS version 7.4:

Works as described on CentOS 7.4 (1708) (x64) pic.twitter.com/ypLSuZPX62 — Brendan Coles (@_bcoles) October 25, 2018

Other security practitioners remained less convinced of the severity of CVE-2018-14665. With the exception of OpenBSD, most other OSes running a vulnerable version of X.org require attackers to have an active console session. That means attackers must be using the physically attached keyboard and mouse, not a remote session. The requirement “is a huge limitation,” Narendra Shinde, the security researcher credited with discovering the vulnerability, told Ars. Shinde has shared technical details about the vulnerability here.

Advisories or patches from OpenBSD, Red Hat, Debian, and Ubuntu are here, here, here, and here. People should check with developers of other Linux and BSD distributions to get their status. In the event that a patch isn’t available or can’t immediately be installed, the vulnerability can be mitigated by invoking chmod 755 on the installed X.org binary to remove the setuid privilege. X.org developers have cautioned, however, that this workaround can cause problems if the X window system starts using the “startx,” “xinit,” or similar commands.