The bug affects users running the KDE Plasma desktop environment, which is widely used in GNU/Linux distributions. The issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0.
The vulnerability has been tracked as CVE-2018-6791 and categorised as an "arbitrary command execution" flaw. According to an advisory by NIST, the vulnerability is currently awaiting analysis.
The team has urged users to update to versions 5.12.0 or 5.8.9 to fix the issue. If users can't update systems, the team said that a workaround for the problem would be to mount removable devices with Dolphin instead of the device notifier.
“Many systems will scan for potential harmful packets within your drives, which helps to prevent anyone opening it. If the file sits in the drive for months, undetected, then you run the risk of inadvertently opening the malware. But when scanning and cleaning the system frequently, security teams can get in the middle of the unsuspecting user and the malicious file,” he said.
“Once again, we can see how trust itself can be a vulnerability. When system A has been exploited with malware delivered by a thumb drive ‘save to' command, that file can be saved to an unlimited number of trusted machines (systems B through Z). But with tighter policy controls, you can avoid the communication from the start, so when system A has a problematic thumb drive hanging from its USB port, you don't have to worry about the contents spreading to other systems on the network; malware is blocked…by a policy of zero trust,” he added.
“Attackers have been known to leave weaponised USB drives lying around, relying on the fact that in most cases, once discovered, the finder will connect the device to a computer, thereby automatically triggering a malicious payload.”
Bonner added that while this flaw wouldn't affect Windows systems, “Windows has suffered a variety of issues with USB vulnerabilities over the years, from design flaws such as AutoRun/AutoPlay, to vulnerabilities in processing. LNK files, all of which have been actively exploited to deploy malware.”