A number of one-click vulnerabilities have been found throughout a wide range of common software program functions, permitting an attacker to probably execute arbitrary code on track techniques.
The problems had been found by Optimistic Safety researchers Fabian Bräunlein and Lukas Euler and have an effect on apps like Telegram, Nextcloud, VLC, LibreOffice, OpenOffice, Bitcoin/Dogecoin Wallets, Wireshark, and Mumble.
“Desktop functions which move consumer equipped URLs to be opened by the working system are steadily weak to code execution with consumer interplay,” the researchers said. “Code execution might be achieved both when a URL pointing to a malicious executable (.desktop, .jar, .exe, …) hosted on an web accessible file share (nfs, webdav, smb, …) is opened, or a further vulnerability within the opened utility’s URI handler is exploited.”
Put otherwise; the issues stem from an inadequate validation of URL enter that, when opened with the assistance of the underlying working system, results in inadvertent execution of a malicious file.
Optimistic Safety’s evaluation discovered that many apps didn’t validate the URLs, thereby permitting an adversary to craft a specially-crafted hyperlink pointing to a bit of assault code, leading to distant code execution.
Following accountable disclosure, many of the apps have launched patches to remediate the issues –
- Nextcloud – Mounted in model 3.1.3 of Desktop Shopper launched on February 24 (CVE-2021-22879)
- Telegram – Problem reported on January 11 and subsequently mounted by way of a server-side change on (or barely earlier than) February 10
- VLC Player – Problem reported on January 18, with patched model 3.0.13 set for launch subsequent week
- OpenOffice – Mounted within the upcoming 4.1.10 launch (CVE-2021-30245)
- LibreOffice – Addressed in Home windows, however weak in Xubuntu (CVE-2021-25631)
- Mumble – Mounted in model 1.3.4 launched on February 10 (CVE-2021-27229)
- Dogecoin – Mounted in model 1.14.3 launched on February 28
- Bitcoin ABC – Mounted in model 0.22.15 launched on March 9
- Bitcoin Cash – Mounted in model 23.0.0 (at the moment in launch course of)
- Wireshark – Mounted in model 3.4.4 launched on March 10 (CVE-2021-22191)
- WinSCP – Mounted in model 5.17.10 launched on January 26 (CVE-2021-3331)
“This difficulty spans a number of layers within the focused system’s utility stack, subsequently making it straightforward for the maintainers of anybody to shift the blame and keep away from taking up the burden of implementing mitigation measures on their finish,” the researchers stated.
“Nevertheless, because of the range of shopper techniques and their configuration states, it’s essential that each celebration concerned takes on some quantity of duty and provides their contribution within the type of mitigation measures” comparable to URL validation and stopping distant shares from being auto-mounted.