Recent reports have unveiled a significant vulnerability concerning the “wall” command within the util-linux package, which presents risks for users across various Linux distributions. This flaw has the potential to be exploited by a malicious actor to either leak user passwords or manipulate the clipboard.
The vulnerability, identified as CVE-2024-28085 and codenamed WallEscape by security researcher Skyler Ferrante, signifies a case of improper handling of escape sequences. According to Ferrante, the command fails to adequately filter these sequences from command-line arguments, granting unprivileged users unauthorized access to send arbitrary messages to other users’ terminals, given that the mesg utility is set to “y” and wall is configured with setgid permissions.
This oversight can be traced back to a commit made in August 2013. The wall command serves a critical function by allowing users with elevated privileges to broadcast important messages to all logged-in users, such as system shutdown notifications or urgent operational announcements.
The Linux man page describes the wall command as capable of displaying messages, file contents, or standard input on the terminals of all active users. Notably, only superusers can send messages to users who have opted out of receiving them, enhancing security in multi-user environments.
CVE-2024-28085 leverages inadequately filtered escape sequences supplied through command-line entries, potentially misleading users into believing they are interacting with a legitimate sudo prompt on another user’s terminal, which could lead to unwittingly sharing their passwords.
For this exploit to succeed, the mesg utility must allow messages and the wall command must possess setgid permissions. Current impacts include Ubuntu 22.04 and Debian Bookworm, both meeting these criteria, while CentOS remains unaffected due to the absence of setgid for the wall command.
Ferrante noted that on Ubuntu 22.04, the inherent settings allow for the leakage of user passwords. The only apparent sign to the user would be an errant password prompt after entering their credentials, along with the password being recorded in command history, which poses a significant security risk.
Additionally, if wall messages can be transmitted, an attacker has the potential to alter clipboard contents through escape sequences on specific terminals like Windows Terminal, although this method does not apply to GNOME Terminal.
To address this vulnerability, it is recommended that users upgrade to util-linux version 2.40. The release notes clarify that CVE-2024-28085 enables unauthorized users to send arbitrary text to others’ terminals when mesg is enabled and wall is setgid, affecting specific distributions while leaving others, such as CentOS, RHEL, and Fedora, unimpacted.
In tandem with this vulnerability, security researcher notselwyn has also reported a use-after-free issue affecting the netfilter subsystem in the Linux kernel, identified as CVE-2024-1086, which highlights ongoing concerns around security vulnerabilities within Linux systems. This particular flaw, also rooted in a failure of input sanitization, could lead to local privilege escalation or denial-of-service conditions.
The evolving landscape of vulnerabilities underscores the imperative for business owners to maintain robust cybersecurity practices, including timely updates and vigilant monitoring of system configurations, to protect sensitive information in an increasingly complex digital environment.
