News

KDE Plasma closes leak that allows code execution via USB drive

By admin
Spread the love

The team behind KDE Plasma has patched a leak in its desktop environment that could allow an attacker with physical access to execute code on a system using a USB drive with a particular format and a special name.

The vulnerability occurs when a user mounts a USB drive via the so-called device notifier. That is a pop-up that appears when a removable device is connected. The notification lists a number of possible actions that the user can perform. In case the usb drive is formatted with vfat and the volume label contains quotes or $() symbols, the name is considered a shell command.

That means that the name $(touch b) creates a file called ‘b’ for example in the home folder. This can be exploited by an attacker with physical access to a system to execute code of their own choosing.

According to the security warning, the vulnerability CVE-2018-6791 affects software versions earlier than 5.12.0 of KDE Plasma. A patch is therefore available in versions 5.12.0 and 5.8.9 of the software. If users are unable to run the patches, a workaround is available by mounting removable devices through Dolphin.

You might also like
News

Rumor: Apple is working on its own applications based on a large language model

News

EU Council determines position on security requirements for digital products

News

Samsung develops first GDDR7 chips, mentions bandwidths of up to 32Gbit/s per pin

News

Meta introduces open source language model Llama 2, works on PCs and phones

News

Logitech acquires stream controller maker Loupedeck

News

Anticheat FaceIT gets Linux version, enables Steam Deck support