Summary

Recent versions of Wolfram systems containing VernierLink were shipped with a vulnerability potentially allowing non-root users to run arbitrary commands as root. This only affects machines where the Wolfram System was installed as root. We therefore strongly recommend you apply the following steps to all Linux systems on which any of these Wolfram System versions are installed.

Details

When run as root, the program installer created a file “/etc/udev/rules.d/wolfram-vernierlink-libusb.rules”. This file assists in communicating with Vernier devices and is run automatically as root each time the affected machine reboots. This was world-writable by default, so non-root users could edit this file.

Affected Wolfram Systems

The following products create the file with world-writable permissions:

Product Versions Operating Systems
Mathematica 11.1, 11.2, 11.3* Linux
Wolfram Desktop 11.1, 11.2, 11.3* Linux
Wolfram Programming Lab 11.1, 11.2, 11.3* Linux
CDF Player
CDF Player Pro
11.1, 11.2, 11.3* Linux
gridMathematica 11.1, 11.2, 11.3* Linux


*11.3 only if installer was downloaded before May 15, 2018.

A patched Version 11.3 for each of these products with this vulnerability addressed is now available in the Wolfram User Portal.

Resolution

If you do not use or plan to use the VernierLink functionality in Mathematica, remove the vulnerable file:

sudo rm /etc/udev/rules.d/wolfram-vernierlink-libusb.rules 

You may be prompted to provide admin-level credentials to complete this action.

If you are connecting Mathematica to Vernier-branded external devices using VernierLink,
adjust the permissions of this file:

sudo chmod 644 /etc/udev/rules.d/wolfram-vernierlink-libusb.rules 

You may be prompted to provide admin-level credentials to complete this action.

If you have any questions or concerns, please contact Wolfram Technical Support.