#VU64516 Security features bypass in exo - CVE-2022-32278

Cybersecurity Help s.r.o.

Published: 2022-06-20

Vulnerability identifier: #VU64516

Vulnerability risk: Medium

CVSSv4.0: 4.8 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2022-32278

CWE-ID: CWE-254

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
exo
Universal components / Libraries / Libraries used by multiple products

Vendor: xfce-mirror

Description

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to xdg-open can execute a ".desktop" file on an attacker-controlled FTP server. A remote attacker can trick the victim into opening a malicious desktop file and execute arbitrary code on the system.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

exo: 0.1.1 - 4.17.1

External links
https://gitlab.xfce.org/xfce/exo/-/commit/c71c04ff5882b2866a0d8506fb460d4ef796de9f
https://www.debian.org/security/2022/dsa-5164

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Gentoo update for Exo

Ubuntu update for exo

Debian update for exo

Remote code execution in XFCE exo