The following was circulated to our Managed Security Services customers on Friday 26th October 2018.
Executive Summary: Linux and BSD variants that employ the popular X.Org Server package, a core graphics and windowing technology that is the base for KDE and GNOME desktop interface suites, and found in all major Linux and BSD distros that offer users a windows-based interface, are vulnerable to a newly discovered privilege escalation vulnerability.
If a vulnerable version of X.Org in running on a system as setuid root, either via a terminal or an SSH session, it can be abused by normal logged-in users to gain administrator-level control over the machine. That would allow a miscreant to tamper with files, install spyware, and so on.
The issue, tracked as CVE-2018-14665, was caused by improper handling of two command-line options, namely -logfile and -modulepath, which allows an attacker to insert and execute their own malicious operations. The flaw was exploitable only when X.Org Server was configured to run with root privileges itself, which is a common setup for many distros.
The two vulnerable parameters in question are:
-modulepath: to set a directory path to search for X.Org server modules,
-logfile: to set a new log file for the X.Org server, instead of using the default log file that is located at /var/log/Xorg.n.log on most platforms.
Distros such as Red Hat Enterprise Linux, Fedora, CentOS, Debian, Ubuntu and OpenBSD have already been confirmed as impacted, and other smaller projects are most likely affected as well.
Detect: Organisations that run distribution of Linux are recommended to check the version of X.org installed and deploy updates if it is less than 1.20.3.
Prevent: The X.Org foundation has now released X.Org Server version 1.20.3 with security patches to address the issue. The fix disables support for these two command-line arguments if the X.Org Server package runs with root privileges.
React: X.Org Foundation developers released X.Org Server 1.20.3 to fix this issue. The fix disables support for these two command-line arguments if the X.Org Server package runs with root privileges.
If patches cannot be applied the workarounds are: either to remove the setuid from the X.Org binary, which it’s developers warn can break systems starting the X Window system using startx or xinit. Alternatively, it is possible to use display manager to start X sessions.