Details about a critical, 9.9-rated unauthenticated RCE affecting all GNU/Linux systems — and possibly others — will soon be revealed, according to bug hunter Simone Margaritelli, who says there's still no fix for the decade-old flaw he disclosed to developers three weeks ago.
Margaritelli promises his write-up will include a proof-of-concept exploit and technical details about the doomsday flaw. It is expected to be released on September 30, or possibly earlier. As several other researchers have pointed out in Xeets, providing more context to the yet-to-be-disclosed vulnerability: the previous worst-of-the-worst, Heartbleed, received a 7.5 CVSS rating.
As Linux systems administrators undoubtedly remember, this one was a doozy.
The good news about the new bug is that the delayed disclosure gives security teams some time to prepare. Hopefully.
In his blog and social media posts, Margaritelli said the bug still doesn't have a CVE assigned to it, adding that there should be at least three and "ideally" six CVEs.
Canonical and RedHat have confirmed the 9.9 severity of the issue, we're told. The Register did not immediately hear back from the two companies about this, but we will update this story as soon as we do.
While we don't have any technical details about the flaw, we do know the disclosure process did not go well, according to Margaritelli:
Like, I write software, I get it, I get how someone can be defensive about the stuff they write, I really do. But holy sh, if your software has been running on everything for the last 20 years, you have a freaking responsibility to own and fix your bugs instead of using your energies to explain to the poor bastard that reported them how wrong he is, even tho he's literally giving you PoC after PoC and systematically proving your assumptions about your own software wrong at every comment. This is just insane.
And despite the limited information about the bug, infosec bods are taking the warning seriously.
"A vulnerability with a 9.9 CVSS indicates a low complexity to exploit and signs are pointing to the flaw existing at the core of the system," Sonatype CTO Brian Fox said, in an email sent to The Register. "Considering this is Linux, the scope of this vulnerability is massive and successful exploitation could be devastating — everything from your Wi-Fi router to the grid keeping the lights on runs on Linux." ®
Source: The register