Several big-name Linux and BSD operating systems are vulnerable to an exploit that gives untrusted users powerful root privileges. The critical flaw in the X.org server—the open-source implementation of the X11 system that helps manage graphics displays—affects OpenBSD, widely considered to be among the most secure OSes. It also impacts some versions of the Red Hat, Ubuntu, Debian, and CentOS distributions of Linux.
An advisory X.org developers published Thursday disclosed the 23-month-old bug that, depending on how OS developers configure it, lets hackers or untrusted users elevate very limited system rights to unfettered root. The vulnerability, which is active when OSes run X.org in privileged (setuid) mode, allows files to be overwritten using the -logfile and -modulepath parameters. It also makes it trivial for low-privilege users to escalate system rights. A variety of nuances are leading to widely divergent assessments of the bug's severity.
“Depending on whom you talk to, the reported severity will vary greatly,” Louis Dion-Marcil, a security researcher at GoSecure, told Ars. “I think most people will tell you it is very severe, and I would agree with them. The bug allows you to write arbitrary data to arbitrary files, which might seem trivial and not that dangerous, but it effectively allows regular, unprivileged users to elevate their privileges to the one of complete administrator of the system.”
Got root
As Matthew Hickey, cofounder of security firm Hacker House, demonstrated Thursday, CVE-2018-14665, as the bug is indexed, can be triggered from a remote SSH session on what at the time was a fully patched OpenBSD machine. While the attacker need not use a local console, the exploit does require an an already-created account on the vulnerable OpenBSD system. In Hickey’s example, the exploit elevates the account “developer” to “root” on a default version of OpenBSD 6.4-stable.