Ubuntu
gsettings-desktop-schemas package

Major security issue in Ubuntu Desktop default config - Removable Media

Bug #1983778 reported by niix
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
GSettings Desktop Schemas
Fix Released
Unknown
gsettings-desktop-schemas (Ubuntu)
Fix Released
Wishlist
Unassigned

Bug Description

There is a MAJOR SECURITY VULNERABILITY in Ubuntu Desktop since release 18.04 !

Recently I used Ubuntu 22.04 LTS and noticed that the issue still exist!

I don’t know the reason for it, but default values for “Removable Media” are VERY Risky!
It will automatically run the software which is attached to the removable media.
Why? Why has Ubuntu still didn’t disable that option?

The following is the default configuration (the “bad” configuration):
https://imgur.com/XXXQlV2

The following is the configuration which Ubuntu should be having (it is the fix to the problem):
https://imgur.com/a/0JeM6ve

Please change the default configurations for Ubuntu!

Revision history for this message
niix (niix) wrote :
Revision history for this message
niix (niix) wrote :

I am attaching the file "Better_Configuration_TBD.png" which shows the fix to this issue - this is the desired solution for the issue.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote (last edit ):

Is there a particular reason you think this is dangerous? Before running anything, it asks the user what to do, and warns not to run it if it's untrusted...See screenshot...

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :
affects: ubuntu → gnome-control-center (Ubuntu)
Changed in gnome-control-center (Ubuntu):
status: New → Incomplete
Seth Arnold (seth-arnold)
information type: Private Security → Public Security
Revision history for this message
niix (niix) wrote :

Hey @Marc Deslauriers (mdeslaur) ,

I appreciate your reply, but please consider the following:

Reason #1:

Having that pop-up screen easily allows to perform the execution of a software.
Imagine, for example, a malicious person in a College or some other public place - quickly inserting a USB device to a briefly unattended laptop and quickly clicking "Run" on the warning dialog.

These things may happen! I've witnessed students conspire to do that!

Why would Ubuntu make it so easy for people to execute software automatically?

Reason #2:

In the security aspect, the default approach should be to avoid any execution of software, or at least make it more difficult.
Automatic execution of software which is in a USB drive is considered a bad practice and is outdated.

Reason #3

I think that most people don't use an automatic execution of software.
Thus, why would Ubuntu even allow it to happen so easily?
Any person who use automatic execution could configure the appropriate configs.
But there is no reason for it to be allowed by default.

---

Bottom line, we are in an era where all options for Removable Media should be "Do nothing" and the tickbox of "Never prompt or start programs on media insertion" should be ticked.

The user has the option to change these configs.
Preferably, only admin (verified with password) is allowed to change these configs.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

I personally don't think the reasons you've listed above are good enough to change the default setting, but please file a bug with the upstream project and you can convince them to change them:

https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues

Once you've filed a bug with the GNOME project, please paste the bug number here.

Thanks!

Changed in gnome-control-center (Ubuntu):
status: Incomplete → Confirmed
importance: Undecided → Wishlist
Revision history for this message
niix (niix) wrote :

Hey Marc,

Per your request, bug number is:
#2522

Bug Watch Updater (bug-watch-updater)
Changed in gnome-control-center:
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in gnome-control-center:
status: New → Fix Released
Jeremy Bícha (jbicha)
affects: gnome-control-center → gsettings-desktop-schemas
Sebastien Bacher (seb128)
Changed in gsettings-desktop-schemas:
status: Fix Released → Unknown
Bug Watch Updater (bug-watch-updater)
Changed in gsettings-desktop-schemas:
status: Unknown → New
Bug Watch Updater (bug-watch-updater)
Changed in gsettings-desktop-schemas:
status: New → Fix Released
Jeremy Bícha (jbicha)
affects: gnome-control-center (Ubuntu) → gsettings-desktop-schemas (Ubuntu)
Changed in gsettings-desktop-schemas (Ubuntu):
status: Confirmed → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gsettings-desktop-schemas - 45~rc-1ubuntu1

---------------
gsettings-desktop-schemas (45~rc-1ubuntu1) mantic; urgency=medium

  * Merge with Debian. Remaining changes:
    - Add ubuntu_lock-on-suspend.patch
    - Add dark-theme migration script using dh-migrations
  * Drop Breaks: ukwm because ukwm still runs but fails to build from source
    for unrelated reasons

gsettings-desktop-schemas (45~rc-1) unstable; urgency=medium

  * New upstream release
    - media-handling: Don't autostart software by default when media is inserted
      (LP: #1983778, LP: #1617620)
  * Add Breaks against packages that used dropped toggle-shaded
  * Drop obsolete Breaks

gsettings-desktop-schemas (44.0-2) unstable; urgency=medium

  * Update standards version to 4.6.2, no changes needed
  * Release to unstable

 -- Jeremy Bícha <email address hidden> Thu, 07 Sep 2023 13:24:00 -0400

Changed in gsettings-desktop-schemas (Ubuntu):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.