democritus-file-system is a Python package that allows users to access remote files using open, read, and write commands. When installing the d8s-utility package, installers of democritus-file-system also install. Because of this, democritus-file-system is now also vulnerable to code-execution attacks through the same package. Once the package is installed, it will try to access files with a remote protocol and could execute remote command on the target machine.
As the package is distributed through PyPI and is available on many Linux distributions, it is likely that Linux users are not aware of this and are installing it.

END users are strongly advised to apply the necessary updates to their systems as soon as possible, and until such time as the vulnerabilities are patched.

Summary of End-user vulnerabilities

A remote code-execution vulnerability has been found in democritus-file-system, which has a package installer that can install the vulnerable package. When installed, this package could execute remote commands on the target machine.
Because of this, end users are strongly advised to apply the necessary updates to their systems as soon as possible, and until such time as the vulnerabilities are patched.

Update End User Systems

The vulnerability allows attackers to execute remote commands on the target machine. To protect users, it is important for them to update their systems as soon as possible and until such time as the vulnerabilities are patched.

Description of the vulnerabilities

There are two vulnerabilities that affect the democritus-file-system package. The first vulnerability is a directory traversal vulnerability, which allows attackers to access arbitrary files on the target system by using relative paths. This vulnerability affects Debian and Ubuntu installations of democritus-file-system. The second vulnerability is a command injection vulnerability, which allows attackers to inject arbitrary commands into the running processes of a target machine through the use of certain subsystems like open() or system(). This vulnerability affects Ubuntu installations of democritus-file-system.
CVE: CVE 2022-41381

Timeline

Published on: 10/11/2022 22:15:00 UTC
Last modified on: 10/12/2022 18:58:00 UTC

References