Alerts This Week
Warning Icon 1 727
Alerts This Week
Warning Icon 1 727

Gentoo Linux GLSA 202310-15 High: USBView Privilege Escalation Risk

gentoo
Calendar Grey October 26, 2023
Dist Gentoo Esm H88
An update from Gentoo GLSA 202310-16 addresses a critical vulnerability in usbview that could grant unauthorized root privileges because of improper polkit configurations.
A vulnerability has been discovered in usbview where certain users can trigger a privilege escalation.

Summary

A vulnerability has been discovered in usbview. Please review the CVE identifier referenced below for details.

Topics%20covered

Topics Covered

security advisory gentoo privilege escalation high usbview polkit settings

Resolution

All USBView users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=app-admin/usbview-2.2"

References

[ 1 ] CVE-2022-23220 https://nvd.nist.gov/vuln/detail/CVE-2022-23220

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202310-15
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: High
Title: USBView: root privilege escalation via insecure polkit settings
Date: October 26, 2023
Bugs: #831756
ID: 202310-15

Topics%20covered

Topics Covered

security advisory gentoo privilege escalation high usbview polkit settings

Synopsis

A vulnerability has been discovered in usbview where certain users can trigger a privilege escalation.

Background

USBView is a tool to display the topology of devices on the USB bus.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

Package Vulnerable Unaffected ----------------- ------------ ------------ app-admin/usbview < 2.2 >= 2.2

Impact

USBView allows some local users (e.g., ones logged in via SSH) to execute arbitrary code as root because certain Polkit settings (e.g., allow_any=yes) for pkexec disable the authentication requirement. Code execution can, for example, use the --gtk-module option.

Workaround

There is no known workaround at this time.

Your message here