CVE-2024-28085: Critical ‘WallEscape’ Flaw Discovered in Linux Utilities Package – Passwords at Risk

A serious security vulnerability, dubbed “WallEscape” (CVE-2024-28085), has been uncovered in the essential Linux system utilities package, util-linux. This package is a cornerstone of Linux operating systems, providing tools for fundamental tasks like managing disks, files, user logins, and processes.

The Vulnerability Explained

The WallEscape vulnerability lies within the ‘wall’ command, a tool that allows users to broadcast messages to other logged-in users. Researchers discovered that this command fails to properly filter escape sequences – special codes that can control terminal behavior.

This oversight means that a malicious user could craft messages with embedded escape sequences. When sent via the ‘wall’ command, these messages could hijack other users’ terminals, potentially stealing sensitive information like passwords or allowing the attacker to take over an account.

Who is at Risk?

The ‘wall’ command within the util-linux package (versions up to 2.40) contains a vulnerability that allows attackers to send malicious code hidden within command-line arguments. The vulnerable code was introduced in commit cdd3cc7fa4 (2013). Every version since has been vulnerable. This code could potentially give the attacker control of other users’ terminals, leading to account compromise.

Linux distributions where the ‘wall’ command is configured with special permissions (setgid) and the ability to send messages to other users’ terminals is enabled (mesg set to ‘y’) are particularly vulnerable. Popular distributions like Ubuntu 22.04 and Debian Bookworm fit this profile by default.

Potential Impact

• Password Theft: On vulnerable systems like Ubuntu 22.04, attackers could trick victims into inadvertently revealing their passwords. This could lead to account compromise and further attacks.
• Clipboard Hijacking: Attackers might be able to manipulate the contents of a victim’s clipboard, potentially stealing sensitive data or injecting malicious code.
• Further Exploitation: WallEscape could provide an entry point for attackers to execute more sophisticated attacks and gain deeper control of a system.

Technical Details & PoC

Security researcher Skyler Ferrante discovered the CVE-2024-28085 flaw, and published technical details including a proof-of-concept (PoC) exploit code capable of leaking passwords on Ubuntu 22.04 with default configurations.

Protecting Yourself

• Update Immediately: If you are using a vulnerable Linux distribution, the best course of action is to install security updates as soon as they become available. Patching will address the WallEscape vulnerability and protect your system.
• Restrict ‘wall’ Command: Administrators can reduce the risk by removing the special setgid permissions from the ‘wall’ command and/or disabling message broadcast functionality using the ‘mesg n’ command.
• Monitor for Suspicious Activity: Stay vigilant and be aware of unusual behavior in your Linux terminals. Unexpected password prompts or strange characters could indicate an attack attempt.

The Takeaway

The WallEscape vulnerability demonstrates the far-reaching consequences of flaws in even the most fundamental system tools. This discovery underscores the importance of timely patching and proactive security measures to protect Linux systems from evolving threats.