Post Now

Crtical Flaw in X.Org Server Impacts Major Linux Distributions

Image

Security researcher has discovered a critical flaw (CVE-2018-14665) in X.Org server package impacting Linux distributions such as OpenBSD, Debian, Ubuntu, CentOS, Red Hat, and Fedora

  • A critical flaw was discovered in X.Org server package impacting Linux distribution such as OpenBSD, Debian, Ubuntu, CentOS, Red Hat, and Fedora.
  • The flaw was discovered by an Indian security researcher Narendra Shinde.
  • Xorg X server does not correctly handle and validate arguments which can allow to low privileged user to execute malicious codes and overwrite system files.
  • Xorg X server has addressed the issue in the X.Org Server version 1.20.3.
Security researcher has discovered a critical flaw (CVE-2018-14665) in X.Org server package impacting Linux distributions such as OpenBSD, Debian, Ubuntu, CentOS, Red Hat, and Fedora. Xorg X server is an open source implementation of the X window system which provides the graphical environment. The critical flaw was discovered by an Indian security researcher Narendra Shinde and said it is an Arbitrary File Overwrite Vulnerability which can Lead to Privilege Escalation. Xorg X server does not correctly handle and validate arguments for at least two command line parameters which can allow a low privileged user to create or overwrite any files on the system including files owned by privileged users and execute malicious code. “X.org X Server application is vulnerable to privilege escalation issue. X.org X Server application allows lower privileged user to create or overwrite file anywhere on system , including files owned by privileged users (ex. /etc/shadow).” To exploit the vulnerability the attacker needs to have an active console session. The flaw was introduced in X.Org server 1.19.0 package and was undetected for almost two years. Security researchers Matthew Hickey has published a proof-of-concept exploit code regarding the flaw on twitter and said that attacker could easily take control over the vulnerable system 3 commands or less. https://twitter.com/hackerfantastic/status/1055517801224396800 The X.Org foundation has fixed the issue in the X.Org Server version 1.20.3. OpenBSDDebianUbuntu, CentOSRedHat, and Fedora has also confirmed the issue and has published advisory regarding the vulnerability. “Incorrect command-line parameter validation in the Xorg X server can lead to privilege elevation and/or arbitrary files overwrite, when the X server is running with elevated privileges (ie when Xorg is installed with the setuid bit set and started by a non-root user).” said in the advisory published by X.org. For the latest cyber threats and the latest hacking news please follow us on FacebookLinkedin and Twitter.
You may be interested in reading:New FilesLocker Ransomware Discovered Distributing as a Ransomware as a Service