According to vulnerability testing specialists, a compression library included by default in multiple Linux distributions (Ubuntu, Debian, Gentoo, Arch Linux and FreeBSD among others) is affected by a serious vulnerability that, if exploited, could allow a threat actor to execute malicious code on the targeted computer.
Although this library is also included on Windows and macOS systems, the vulnerability does not appear to affect these deployments.
The affected library is Libarchive, designed to create and read compressed files. According to vulnerability testing specialists, this is a toolkit that fulfills multiple functions related to storage files, also includes other Linux utilities (tar, cpio and cat), which is why it is implemented extensively on more than one operating system.
Just a few days ago details were revealed about a serious vulnerability affecting this library, revealed along with the release of security updates for Libarchive.
The vulnerability, tracked as CVE-2019-18408, allows hackers to execute code on a user’s system with just an incorrectly formatted file. Among the possible exploit scenarios, users could receive malicious files from hackers or from local applications using various Libarchive components for file decompression.
There are many software utilities and operating systems that include Libarchive by default, so the potential attack surface is really considerable, including desktops, server operating systems, server managers, packages, security utilities, file browsers, and media processing tools such as pkgutils, CMake, Pacman, Nautilus, and Samba.
Those responsible for operating systems affected by this vulnerability in Libarchive have already released update patches; however, it is not known whether other applications will release the corresponding update. Vulnerability testing experts consider that not everything is bad news, as Windows and macOS, the most popular operating systems, are not affected by this flaw.
Specialists in vulnerability testing from the International Institute of Cyber Security (IICS) mention that so far there have been no reports of active exploitation of this vulnerability; similarly, a proof of concept is not yet developed, although it could be a matter of hours for this to happen.