An unnamed security researcher has found several vulnerabilities in the Linux command line tool Beep, including a severe flaw introduced by a patch for a privilege escalation vulnerability.
Beep is a small open source utility used in the past by Linux developers to produce a beep with a computer’s internal speaker, it allows users to control the pitch, duration, and repetitions of the sound.
The researcher discovered a race condition in the utility that could be exploited by an attacker to escalate privileges to root. Versions through 1.3.4 are affected by the flaw that was tracked as CVE-2018-0492.
Further info on the flaw is available on the website holeybeep.ninja
Is your system vulnerable? In order to discover if a system is vulnerable it is possible to run the following command:
curl https://holeybeep.ninja/am_i_vulnerable.sh | sudo bash
A vulnerable machine will beep.
The Holey Beep website also provides a patch, but experts noticed that it actually introduces a potentially more serious vulnerability that could be exploited to execute an arbitrary code on the patched system.
“The patch vulnerability seems more severe to me, as people apply patches all the time (they shouldn’t do it as root, but people are people),” reads a message published by Tony Hoyle on the Debian bug tracker. “It’s concerning that the holeybeep.ninja site exploited an unrelated fault for ‘fun’ without apparently telling anyone.”
Waiting for a code review of the utility, probably it is time to remove the utility from distros because PC speaker doesn’t exist in most modern systems.
(Security Affairs – Linux distros, hacking)
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.