The vulnerability tracked as CVE-2023-43641, was discovered by security researcher Kevin Backhouse and was privately reported to Linux distro security teams on October 10, 2023.
The libcue library is used for parsing cue sheets, a metadata format describing the layout of tracks on a CD. While obscure, it is utilized by some audio players as well as the GNOME file indexing tool tracker-miners. The tracker-miners tool automatically scans new files added to certain directories like the Downloads folder.
According to Backhouse, the vulnerability arises from a lack of input validation in the libcue code for parsing cue sheet index values. The issue is magnified because libcue is used by tracker-miners: an application that’s included with GNOME—the default graphical desktop environment of many open source operating systems. The purpose of tracker-miners is to index the files in your home directory to make them easily searchable. For example, the index is used by this search bar:
The index is automatically updated when you add or modify a file in certain subdirectories of your home directory, in particular including ~/Downloads.
By targeting the tracker-miners tool, and getting a user to download a maliciously crafted cue sheet, an attacker could trigger this libcue vulnerability, resulting in out-of-bounds writes. The automatically scanned file then exploits the vulnerability and leads the attacker to achieve remote code execution on the users' system.
Video of my PoC for CVE-2023-43641: out-of-bounds array access in libcue. libcue is used by tracker-miners, which automatically scans new files in ~/Downloads, so the bug is triggered by downloading a file. pic.twitter.com/xCSkaHD7zp
— Kev (@kevin_backhouse) October 9, 2023
Backhouse reported developing a proof-of-concept exploit that achieved reliable code execution on default installations of Ubuntu 23.04 and Fedora 38. He notes that while not tested on other distros, any GNOME-based systems are likely vulnerable.
The vulnerability affects Linux distributions that use the GNOME desktop environment, including Ubuntu, Fedora, and other distros. Users are urged to install the patched version of libcue as soon as their distro releases an update. The researcher has developed a proof-of-concept exploit but is delaying its release to allow users time to patch.
In addition to patching libcue, changes have been made to strengthen tracker-miners' seccomp sandbox to prevent exploitation of this issue in the future. Users should ensure they are running the latest version of their distribution and apply any available updates urgently.
The disclosure has sparked concerns over the potential impact of vulnerabilities in lesser known components. The integration of libcue into core system tools like tracker miners dramatically escalates the risk of what would normally be considered a relatively obscure software flaw.
While libcue itself is not widely used, its use in a core GNOME component led to a critical vulnerability affecting many users. It highlights the importance of proactive auditing and patching of all software dependencies.