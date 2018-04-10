Linux: Beep Command Can Be Used to Probe for the Presence of Sensitive Files (bleepingcomputer.com) 17
Catalin Cimpanu, writing for BleepingComputer: A vulnerability in the "beep" package that comes pre-installed with Debian and Ubuntu distros allows an attacker to probe for the presence of files on a computer, even those owned by root users, which are supposed to be secret and inaccessible. The vulnerability, tracked as CVE-2018-0492, has been fixed in recent versions of Debian and Ubuntu (Debian-based OS). At its core, the bug is a race condition in the beep utility that allows the OS to emit a "beep" sound whenever it is deemed necessary. Security researchers have discovered a race condition in the beep package that allows an attacker to elevate his code to root-level access.
Right? About the only thing worse would be a kernel vulnerability in something silly like fonts [blogspot.com]...
The beep vulnerability makes a lot of sense, actually. Related to this update, I recently learned that the ubiquitous beep used to be driven by reprogramming the system clock [microsoft.com]. Naturally, that kind of hardware access is something that should be a system administrator function, restricted to root on *nix systems. It would make sense, then, that any vulnerability there would likely be a privilege escalation.
Beep is not pre-installed on Debian GNU/Linux.
It's not pre - installed on Mint either
Its not debian installed by default
