Many versions of Linux may be vulnerable to a flaw that allowed hackers to steal passwords, or change the contents of their clipboard.
The vulnerability, however, comes with a major caveat that makes exploitations somewhat unlikely (or at least heavily limited).
Cybersecurity researcher Skyler Ferrante recently discovered an “improper neutralization of escape sequences in wall” vulnerability, a flaw impacting the “wall” command. This command is usually used to broadcast messages to the terminals of all users logged to the same system.
WallEscape
With escape sequences not being properly filtered when processing input through command line arguments, a threat actor could, theoretically, launch a prompt to all connected users and have them type in their administrator password. Escape sequences could also be used to change the clipboard of a target user, although this method may not work with all terminal emulators.
The vulnerability is tracked as CVE-2024-28085, and dubbed WallEscape. It was fixed in Linux version 2.40, released in March 2024, but that means it has been present in Linux versions for the past 11 years.
While a proof-of-concept (PoC) for the vulnerability exists, and a practical application could occur, multiple factors need to align, first. For example, the attacker needs to have physical access to a Linux server, to which multiple other potential victims are already connected through the terminal. If you’re still worried about your Linux server being targeted, there is a solution. Linux released an upgrade to linux-utils v.2.40, which patches the vulnerability.
Usually, these updates are available through the LInux distribution’s standard update channel, so keep an eye out. Furthermore, system administrators can fix the issue by removing the setgid permission from the “wall” command, or by disabling the message broadcast functionality using the “mesg” command to set its flag to “n”.
Via BleepingComputer