Google Project Zero accuses Linux of sloppy kernel patching Watch Now

Linux and BSD variants that employ the popular X.Org Server package --almost all do-- are vulnerable to a new vulnerability disclosed on Thursday.

The vulnerability allows an attacker with limited access to a system, either via a terminal or SSH session, to elevate privileges and gain root access.

It can't be used to break into secure computers, but it is still useful to attackers because it can quickly turn simple intrusions into bad hacks.

While the vulnerability is not in the redoubtable category of "as-bad-as-it-gets" flaws, the security flaw could not be ignored by the Linux and infosec communities once its existence was made public on Thursday.

The reason is because of the place it was found in --namely the X.Org Server package-- a core graphics and windowing technology that is the base for the more famous KDE and GNOME desktop interface suites, and found in all major Linux and BSD distros that offer users a windows-based interface.

However, according to a report authored by security researcher Narendra Shinde, since May 2016, the X.Org Server package had contained a vulnerability that allowed attackers to either elevate privileges and/or overwrite any files on the local system, even crucial OS data.

The issue, tracked as CVE-2018-14665, was caused by improper handling of two command-line options, namely -logfile and -modulepath, which allowed an attacker to insert and execute their own malicious operations. The flaw was exploitable only when X.Org Server was configured to run with root privileges itself, which is a common setup for many distros.

X.Org Foundation developers released X.Org Server 1.20.3 to fix this issue. The fix disables support for these two command-line arguments if the X.Org Server package runs with root privileges.

Distros like Red Hat Enterprise Linux, Fedora, CentOS, Debian, Ubuntu, and OpenBSD have already been confirmed as impacted, and other smaller projects are most likely affected as well.

Security updates that contain the patched X.Org Server package are expected to roll out in the following hours and days.

Proof-of-concept code was also released earlier today by Matthew Hickey, Co-Founder and Director at Hacker House, a UK-based cyber-security firm.

"An attacker can literally take over impacted systems with 3 commands or less," said Hickey on Twitter. "Lots of other ways to exploit e.g crontab. It's hilarious on how trivial it is."

RELATED SECURITY COVERAGE: