Details about a critical, 9.9-rated unauthenticated RCE affecting all GNU/Linux systems — and possibly others — will soon be revealed, according to bug hunter Simone Margaritelli, who says there's still no fix for the decade-old flaw he disclosed to developers three weeks ago.
Margaritelli promises his write-up will include a proof-of-concept exploit and technical details about the doomsday flaw. It is expected to be released on September 30, or possibly earlier. As several other researchers have pointed out in Xeets, providing more context to the yet-to-be-disclosed vulnerability: the previous worst-of-the-worst, Heartbleed, received a 7.5 CVSS rating.
As Linux systems administrators undoubtedly remember, this one was a doozy.
The good news about the new bug is that the delayed disclosure gives security teams some time to prepare. Hopefully.
In his blog and social media posts, Margaritelli said the bug still doesn't have a CVE assigned to it, adding that there should be at least three and "ideally" six CVEs.
- Nasty regreSSHion bug in OpenSSH puts roughly 700K Linux boxes at risk
- Anatomy of OpenSSL's Heartbleed: Just four bytes trigger horror bug
- 10 nasty software bugs put thousands of fuel storage tanks at risk of cyberattacks
- China's Salt Typhoon cyber spies are deep inside US ISPs
Canonical and RedHat have confirmed the 9.9 severity of the issue, we're told. The Register did not immediately hear back from the two companies about this, but we will update this story as soon as we do.
While we don't have any technical details about the flaw, we do know the disclosure process did not go well, according to Margaritelli:
And despite the limited information about the bug, infosec bods are taking the warning seriously.
"A vulnerability with a 9.9 CVSS indicates a low complexity to exploit and signs are pointing to the flaw existing at the core of the system," Sonatype CTO Brian Fox said, in an email sent to The Register. "Considering this is Linux, the scope of this vulnerability is massive and successful exploitation could be devastating — everything from your Wi-Fi router to the grid keeping the lights on runs on Linux." ®