2 min Applications

New vulnerability affects most Linux and BSD distros

A new security error affects most Linux and BSD distros. The problem lies in the escalation of consents and should be relatively easy to solve. But at the moment it is a widespread error, which has an impact on a large number of systems.

The Linux and BSD variants that use the popular X.Org Server package are all vulnerable to the new security error. Since the vast majority of distros use this package, most of the variants are also vulnerable. Thanks to the security error, an attacker with limited access to a system, via a terminal or an SSH session, can increase privileges or obtain root access.

Editing critical data

The vulnerability cannot be used to break into secure devices, but it is useful for attackers who can get more out of their hack. The vulnerability will need to be addressed quickly by Linux and BSD developers, as it is included in the X.Org Server package. This is a graphics and windowing technology that serves as the basis for the well-known KDE and GNOME desktop interfaces and is used in all major Linux and BSD distros that provide users with a windows-based interface.

Security researcher Nrendra Shinde reports that the vulnerability allows attackers to increase privileges and edit files on the local system – even critical OS data. The problem, called CVE-2018-14665 – is caused by two command line options not being processed correctly. The error is in -logfile and -module path and allows an attacker to add his own code.

There’s already a fix

The exploit of this vulnerability only works if X.Org Server is set up to run with root privileges. That’s a common set-up for distros. Developers of the X.Org Foundation have already released a new version, 1.20.3, to solve the problem. Within the fix, support for the two command line options is simply removed.

Distros such as CentOS, Debian, Red Hat Enterprise Linux and Ubuntu are affected by the problems. Updates with the patched X.Org Server package are expected shortly.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.