Login Sign Up

CVE-2022-32278

8.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2022-32278 is a remote code execution vulnerability in XFCE 4.16 where attackers can trick xdg-open into executing malicious .desktop files from attacker-controlled FTP servers. This affects XFCE desktop environment users who open untrusted files or links. The vulnerability allows arbitrary code execution with the privileges of the logged-in user.

💻 Affected Systems

Products:
  • XFCE
  • exo
Versions: XFCE 4.16 (specifically exo library versions before fix)
Operating Systems: Linux distributions with XFCE desktop environment
Default Config Vulnerable: ⚠️ Yes
Notes: Affects default XFCE 4.16 installations. Requires user interaction (opening a malicious file/link).

📦 What is this software?

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Debian Linux by Debian

View all CVEs affecting Debian Linux →

Exo by Xfce

View all CVEs affecting Exo →

Exo by Xfce

View all CVEs affecting Exo →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via arbitrary code execution leading to data theft, ransomware deployment, or persistent backdoor installation.

🟠

Likely Case

Malware installation, credential theft, or lateral movement within the network from a compromised user session.

🟢

If Mitigated

Limited impact if user doesn't open untrusted files/links, with potential for sandbox escape or privilege escalation if combined with other vulnerabilities.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Requires user interaction but exploitation is straightforward once user opens malicious content. No authentication needed beyond user clicking/opening.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: exo library with commit c71c04ff5882b2866a0d8506fb460d4ef796de9f or later

Vendor Advisory: https://gitlab.xfce.org/xfce/exo/-/commit/c71c04ff5882b2866a0d8506fb460d4ef796de9f

Restart Required: Yes

Instructions:

1. Update system packages via package manager. 2. For Debian/Ubuntu: sudo apt update && sudo apt upgrade. 3. For other distros: Use appropriate package manager. 4. Restart XFCE session or reboot.

🔧 Temporary Workarounds

Disable FTP protocol handling in xdg-open

linux

Prevent xdg-open from handling FTP URLs to block this attack vector

xdg-mime default inode/directory ftp
Or modify /usr/share/applications/mimeinfo.cache to remove ftp associations

Use alternative file manager

linux

Configure system to use different file manager that doesn't use vulnerable exo library

update-alternatives --config x-file-manager

🧯 If You Can't Patch

  • Implement strict user training about opening untrusted files/links
  • Deploy application whitelisting to prevent execution of unauthorized binaries

🔍 How to Verify

Check if Vulnerable:

Check exo library version: dpkg -l | grep exo or rpm -qa | grep exo. If version is before fix commit, system is vulnerable.

Check Version:

dpkg -l | grep exo  # Debian/Ubuntu
rpm -qa | grep exo  # RHEL/Fedora
pacman -Q exo      # Arch

Verify Fix Applied:

Verify exo package version includes commit c71c04ff5882b2866a0d8506fb460d4ef796de9f. Check package changelog or version string.

📡 Detection & Monitoring

Log Indicators:

  • Unusual xdg-open processes spawning from FTP URLs
  • Suspicious .desktop file executions from network locations

Network Indicators:

  • Outbound FTP connections to unknown servers followed by local process execution

SIEM Query:

process.name="xdg-open" AND network.destination.port=21

📊 Metadata

CVE ID: CVE-2022-32278
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: June 13, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON