The bug affects users running the KDE Plasma desktop environment, which is widely used in GNU/Linux distributions. The issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0.
According to an advisory published by the KDE Plasma team, USB sticks containing characters `` or $() in the volume label will execute the text contained within these characters as shell commands. This could allow a hacker with physical access to a machine to execute malicious commands via the USB device notifier function.
The vulnerability has been tracked as CVE-2018-6791 and categorised as an "arbitrary command execution" flaw. According to an advisory by NIST, the vulnerability is currently awaiting analysis.
“When a vfat thumbdrive which contains `` or $() in its volume label is plugged and mounted trough the device notifier, it's interpreted as a shell command, leaving a possibility of arbitrary commands execution. an example of offending volume label is "$(touch b)" which will create a file called b in the home folder,” the advisory stated.
The team has urged users to update to versions 5.12.0 or 5.8.9 to fix the issue. If users can't update systems, the team said that a workaround for the problem would be to mount removable devices with Dolphin instead of the device notifier.
Josh Mayfield, director at FireMon, told SC Media UK that regular drive inspection is a top priority.
“Many systems will scan for potential harmful packets within your drives, which helps to prevent anyone opening it. If the file sits in the drive for months, undetected, then you run the risk of inadvertently opening the malware. But when scanning and cleaning the system frequently, security teams can get in the middle of the unsuspecting user and the malicious file,” he said.
Secondly, to prevent any worm proliferation, organisations can have robust policy controls between systems on the network. Often, it is weak policy that allows machines to cross-talk and ‘trust' one another, added Mayfield.
“Once again, we can see how trust itself can be a vulnerability. When system A has been exploited with malware delivered by a thumb drive ‘save to' command, that file can be saved to an unlimited number of trusted machines (systems B through Z). But with tighter policy controls, you can avoid the communication from the start, so when system A has a problematic thumb drive hanging from its USB port, you don't have to worry about the contents spreading to other systems on the network; malware is blocked…by a policy of zero trust,” he added.
Tom Bonner, senior manager threat research (EMEA) at Cylance, told SC Media UK that in principal, weaponising a USB to exploit this vulnerability is extremely simple. “In practice, the likelihood of this being leveraged in-the-wild is fairly low, owing to the relatively small KDE user-base and availability of patches,” he said.
“Attackers have been known to leave weaponised USB drives lying around, relying on the fact that in most cases, once discovered, the finder will connect the device to a computer, thereby automatically triggering a malicious payload.”
Bonner added that aside from regular patching and running anti-virus and EDR software, organisations should ensure that they provide adequate security awareness training to “educate employees about the inherent risks associated with USB devices, as well as providing approved devices for use where necessary. Never connect USB devices from unknown/untrusted sources to your computer. “
Bonner added that while this flaw wouldn't affect Windows systems, “Windows has suffered a variety of issues with USB vulnerabilities over the years, from design flaws such as AutoRun/AutoPlay, to vulnerabilities in processing. LNK files, all of which have been actively exploited to deploy malware.”
The bug is mildly reminiscent of the Stuxnet worm which, back in 2010, used a zero-day vulnerability in Windows to infect a system just by plugging in an infected USB drive. This exploit was based on how Windows handled. LNK shortcut files, allowing malware to run without any user interaction.