CVE-2023-43641
published 2023-10-09CVE-2023-43641: libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the…
PriorityP263high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
16.57%
96.6th percentile
libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | libcue | < libcue 2.2.1-4+deb12u1 (bookworm) | libcue 2.2.1-4+deb12u1 (bookworm) |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| fedoraproject | fedora | — | — |
| lipnitsk | libcue | < 2.3.0 | 2.3.0 |
| lipnitsk | libcue | <= 2.2.1 | — |
| lipnitsk | libcue | >= 0 < 2.2.1-3+deb11u1 | 2.2.1-3+deb11u1 |
| lipnitsk | libcue | >= 0 < 2.2.1-4+deb12u1 | 2.2.1-4+deb12u1 |
| lipnitsk | libcue | >= 0 < 2.2.1-4.1 | 2.2.1-4.1 |
| lipnitsk | libcue | >= 0 < 2.2.1-4.1 | 2.2.1-4.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor the tracker-extract process for unexpected child process spawning or anomalous memory access patterns when parsing .cue files dropped into ~/Downloads. ↗
- →Alert on .cue files written to ~/Downloads on GNOME desktop systems, as this is the trigger path for automatic exploitation via tracker-miners. ↗
- →Confirmed working exploits exist for Ubuntu 23.04 and Fedora 38; prioritize detection and patching on these distributions. ↗
- ·Red Hat Enterprise Linux 7, 8, and 9 are NOT affected because libcue is disabled in Red Hat builds of tracker-miners. ↗
- ·Exploitation requires the GNOME desktop environment with tracker-miners active and libcue enabled; non-GNOME or headless systems are not directly exposed via this attack vector. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv8.8HIGH
vendor_debian8.8HIGH
vendor_redhat8.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
CUE vulnerability
vendor_ubuntu·2023-10-17
CVE-2023-43641 CUE vulnerability
Title: CUE vulnerability
Summary: CUE could be made to execute arbitrary code if it received a specially
crafted file.
USN-6423-1 fixed a vulnerability in CUE. This update provides the
corresponding updates for Ubuntu 23.10.
Original advisory details:
It was discovered that CUE incorrectly handled certain files.
An attacker could possibly use this issue to expose sensitive
information or execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
libcue: out-of-bounds array access leads to RCE
vendor_redhat·2023-10-09·CVSS 8.8
CVE-2023-43641 [HIGH] CWE-787 libcue: out-of-bounds array access leads to RCE
libcue: out-of-bounds array access leads to RCE
libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.
A flaw was found in libcue, which is consumed by the tracker-miners application. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious web page, allowing
Ubuntu
CUE vulnerability
vendor_ubuntu·2023-10-09
CVE-2023-43641 CUE vulnerability
Title: CUE vulnerability
Summary: CUE could be made to execute arbitrary code if it received a specially
crafted file.
It was discovered that CUE incorrectly handled certain files.
An attacker could possibly use this issue to expose sensitive
information or execute arbitrary code.
Instructions: In general, a standard system update will make all the necessary changes.
Debian
CVE-2023-43641: libcue - libcue provides an API for parsing and extracting data from CUE sheets. Versions...
vendor_debian·2023·CVSS 8.8
CVE-2023-43641 [HIGH] CVE-2023-43641: libcue - libcue provides an API for parsing and extracting data from CUE sheets. Versions...
libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.
Scope: local
bookworm: resolved (fixed in 2.2.1-4+deb12u1)
bullseye: resolved (fixed in 2.2.1-3+deb11u1)
forky: resolved (fixed in 2.2.1-4.1)
sid: resolved (fixed in 2.2.1-4.1)
trixie: resolved (fixed in 2.2.1-4.1)
OSV
CVE-2023-43641: libcue provides an API for parsing and extracting data from CUE sheets
osv·2023-10-09·CVSS 8.8
CVE-2023-43641 [HIGH] CVE-2023-43641: libcue provides an API for parsing and extracting data from CUE sheets
libcue provides an API for parsing and extracting data from CUE sheets. Versions 2.2.1 and prior are vulnerable to out-of-bounds array access. A user of the GNOME desktop environment can be exploited by downloading a cue sheet from a malicious webpage. Because the file is saved to `~/Downloads`, it is then automatically scanned by tracker-miners. And because it has a .cue filename extension, tracker-miners use libcue to parse the file. The file exploits the vulnerability in libcue to gain code execution. This issue is patched in version 2.3.0.
No detection rules found.
No public exploits indexed.
http://packetstormsecurity.com/files/176128/libcue-2.2.1-Out-Of-Bounds-Access.htmlhttps://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/https://github.com/lipnitsk/libcue/commit/cfb98a060fd79dbc3463d85f0f29c3c335dfa0eahttps://github.com/lipnitsk/libcue/commit/fdf72c8bded8d24cfa0608b8e97f2eed210a920ehttps://github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cjhttps://lists.debian.org/debian-lts-announce/2023/10/msg00018.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/57JEYTRFG4PVGZZ7HIEFTX5I7OONFFMI/https://lists.fedoraproject.org/archives/list/[email protected]/message/PGQOMFDBXGM3DOICCXKCUS76OTKTSPMN/https://lists.fedoraproject.org/archives/list/[email protected]/message/XUS4HTNGGGUIFLYSKTODCRIOXLX5HGV3/https://www.debian.org/security/2023/dsa-5524http://packetstormsecurity.com/files/176128/libcue-2.2.1-Out-Of-Bounds-Access.htmlhttps://github.blog/2023-10-09-coordinated-disclosure-1-click-rce-on-gnome-cve-2023-43641/https://github.com/lipnitsk/libcue/commit/cfb98a060fd79dbc3463d85f0f29c3c335dfa0eahttps://github.com/lipnitsk/libcue/commit/fdf72c8bded8d24cfa0608b8e97f2eed210a920ehttps://github.com/lipnitsk/libcue/security/advisories/GHSA-5982-x7hv-r9cjhttps://lists.debian.org/debian-lts-announce/2023/10/msg00018.htmlhttps://lists.fedoraproject.org/archives/list/[email protected]/message/57JEYTRFG4PVGZZ7HIEFTX5I7OONFFMI/https://lists.fedoraproject.org/archives/list/[email protected]/message/PGQOMFDBXGM3DOICCXKCUS76OTKTSPMN/https://lists.fedoraproject.org/archives/list/[email protected]/message/XUS4HTNGGGUIFLYSKTODCRIOXLX5HGV3/https://www.debian.org/security/2023/dsa-5524
2023-10-09
Published