A recently identified vulnerability affecting the “wall” command in the util-linux package has sent ripples of concern through the Linux community. Dubbed CVE-2024-28085 and named WallEscape,, this flaw poses a significant threat to the security of Linux systems. The vulnerability allows unprivileged users to manipulate terminal output, potentially leading to password leaks or clipboard alterations on select Linux distributions.
Understanding CVE-2024-28085
The vulnerability, traced back to a commit made in August 2013, arises from improperly filtered escape sequences in the “wall” command’s command-line arguments. Exploitation of this vulnerability occurs when the “mesg” utility is enabled, and the “wall” command is executed with setgid permissions. Affected systems, such as Ubuntu 22.04 and Debian Bookworm, are at risk of password leakage, with users potentially being tricked into disclosing their credentials. Notably, systems like CentOS remain unaffected due to differences in command permissions.
Furthermore, the vulnerability opens avenues for attackers to manipulate users’ clipboards through escape sequences, particularly on terminals like Windows Terminal. However, GNOME Terminal remains immune to these manipulations.
Addressing the Issue
To mitigate the risks associated with CVE-2024-28085, users are strongly advised to update their util-linux package to version 2.40 promptly. This update contains patches to remedy the vulnerability and ensure the security of Linux systems.
Concurrent Threat: CVE-2024-1086
Coinciding with the disclosure of CVE-2024-28085 is another Linux vulnerability identified by security researcher notselwyn. Assigned CVE-2024-1086, this vulnerability targets the netfilter subsystem of the Linux kernel, potentially leading to local privilege escalation or denial-of-service conditions. However, a commit released on January 24, 2024, has resolved this issue, ensuring the continued security of Linux systems.
Removal Guide and Best Practices
Detection Names and Similar Threats
Detection names for CVE-2024-28085 and CVE-2024-1086 may vary depending on the security software being used. However, some common identifiers might include:
- CVE-2024-28085 (WallEscape)
- CVE-2024-1086 (Netfilter Vulnerability)
Similar threats to these vulnerabilities may exploit other package or kernel weaknesses to compromise Linux systems. Staying updated on security advisories and promptly applying patches is crucial for safeguarding against such threats.
Removal Guide
If you suspect your Linux system is affected by CVE-2024-28085 or CVE-2024-1086, follow these steps to mitigate the risks:
- Update util-linux: Ensure your util-linux package is updated to version 2.40 or higher. You can do this using your package manager (e.g., apt on Debian-based systems, yum on CentOS).
- Apply kernel patches: If your system is vulnerable to CVE-2024-1086, apply the latest kernel patches to address the netfilter vulnerability.
- Monitor system logs: Regularly check system logs for any suspicious activities or unauthorized access attempts.
- Implement access controls: Restrict access to sensitive commands and utilities to authorized users only. Utilize mechanisms like sudo to manage privileges effectively.
- Educate users: Train users to recognize and report suspicious activities promptly. Encourage strong password practices and discourage sharing credentials.
- Use secure terminals: Opt for terminals with robust security features, such as GNOME Terminal, to minimize the risk of clipboard manipulation through escape sequences.
- Stay informed: Keep abreast of security advisories and updates from trusted sources to remain proactive in addressing emerging threats.
By following these guidelines and maintaining vigilance, Linux users can mitigate the risks posed by vulnerabilities like CVE-2024-28085 and CVE-2024-1086, ensuring the security and integrity of their systems.
