According to vulnerability testing specialists, a compression library included by default in multiple Linux distributions (Ubuntu, Debian, Gentoo, Arch Linux and FreeBSD among others) is affected by a serious vulnerability that, if exploited, could allow a threat actor to execute malicious code on the targeted computer.
Although this library is also included on Windows
and macOS systems, the vulnerability does not appear to affect these
deployments.
The affected library is Libarchive, designed to
create and read compressed files. According to vulnerability testing
specialists, this is a toolkit that fulfills multiple functions related to
storage files, also includes other Linux utilities (tar, cpio and cat), which
is why it is implemented extensively on more than one operating system.
Just a few days ago details were revealed about
a serious vulnerability affecting this library, revealed along with the release
of security updates for Libarchive.
The vulnerability, tracked as CVE-2019-18408,
allows hackers to execute code on a user’s system with just an incorrectly
formatted file. Among the possible exploit scenarios, users could receive
malicious files from hackers or from local applications using various
Libarchive components for file decompression.
There are many software utilities and operating
systems that include Libarchive by default, so the potential attack surface is
really considerable, including desktops, server operating systems, server
managers, packages, security utilities, file browsers, and media processing
tools such as pkgutils, CMake, Pacman, Nautilus, and Samba.
Those responsible for operating systems
affected by this vulnerability in Libarchive have already released update
patches; however, it is not known whether other applications will release the
corresponding update. Vulnerability testing experts consider that not everything
is bad news, as Windows and macOS, the most popular operating systems, are not
affected by this flaw.
Specialists in vulnerability testing from the
International Institute of Cyber Security (IICS) mention that so far there have
been no reports of active exploitation of this vulnerability; similarly, a
proof of concept is not yet developed, although it could be a matter of hours
for this to happen.
