A new security flaw has been disclosed in the libcue library affecting GNOME Linux systems that can be exploited to achieve remote code execution (RCE) on affected hosts.
Tracked as CVE-2023-43641 (CVSS score: 8.8), the issue is described as a case of memory corruption in libcue, a library designed for parsing cue sheet files. This affects versions 2.2.1 and earlier.
libcue is included in Tracker Miners, a search engine tool that is included by default in GNOME and indexes files in the system for easy access.
The problem lies in out-of-bounds array access in the track_set_index function that allows the victim to obtain code execution on the machine by tricking them into clicking a malicious link and downloading a .cue file.
According to the description of the vulnerability in the National Vulnerability Database (NVD), “A user of the GNOME desktop environment could be exploited by downloading a cue sheet from a malicious webpage.”
“Since the file is saved in ‘~/Downloads’, it is automatically scanned by tracker-miners. And because it has a .cue file name extension, tracker-miners use libcue to parse the file. “The file exploits a vulnerability in libcue to gain code execution.”
Additional technical information about the vulnerability has been withheld to allow users ample time to install the latest updates.
“Sometimes a vulnerability in a seemingly innocuous library can have a major impact,” said Kevin Backhouse, the GitHub security researcher who discovered the bug. “This vulnerability in libcue became one-click RCE because of the way it is exploited by tracker-miners.”
“Such vulnerabilities are often the starting point for ‘one-click’ exploits that compromise a victim’s device when they visit a malicious website,” said security researcher Man Yue Mo. “A renderer RCE in Chrome allows an attacker to compromise and execute arbitrary code in the Chrome renderer process.”