Bug 1901994 (CVE-2020-16125)

Summary: CVE-2020-16125 gdm: inability to timely contact accountservice via dbus leads gnome-initial-setup to creation of account with admin privileges
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: caillon+fedoraproject, gnome-sig, hdegoede, mclasen, normand, philip.wyett, rhughes, rstrode
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: gdm-3.36.2 gdm-3.38.2 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in GDM. If gdm can't contact the AccountService service via DBus in a timely manner it would default to assume there are no existing users and would allow the attacker to create a new user with high privileges.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 10:29:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1901995, 1902261, 1910524, 1918391    
Bug Blocks: 1901996    

Description Marian Rehak 2020-11-26 14:56:14 UTC 
gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 can't contact the accountservice service via dbus in a timely manner; on Ubuntu (and potentially derivatives) this could be be chained with an additional issue that could allow a local user to create a new privileged account.

External Reference:

https://gitlab.gnome.org/GNOME/gdm/-/issues/642
Comment 1 Marian Rehak 2020-11-26 14:56:32 UTC 
Created gdm tracking bugs for this issue:

Affects: fedora-all [bug 1901995]
Comment 2 Riccardo Schirone 2020-11-26 17:11:45 UTC 
Upstream patch:
https://gitlab.gnome.org/GNOME/gdm/-/commit/4e6e5335d29c039bed820c43bfd1c19cb62539ff
Comment 3 Riccardo Schirone 2020-11-27 13:22:35 UTC 
To exploit this issue an attacker would require another flaw in accounts-daemon or be able to somehow block dbus services from working properly. For this reason its impact was determined to be Low.
Comment 4 Riccardo Schirone 2020-11-27 13:24:58 UTC 
By default GDM assumes that no users exist on the system and it calls AccountService service through DBus to check if that's true or not. However, in case something goes wrong with the DBus call, the default value would not be changed and an utility to configure a new admin user is called. For this reason, if a physical attacker can somehow stop the DBus call he would be able to trick GDM into running the utility and create a new admin user.
Comment 5 Riccardo Schirone 2020-11-27 14:08:26 UTC 
Ubuntu runs a particular version of accounts-daemon with specific patches that makes it vulnerable to a Denial of Service attack. See CVE-2020-16126 and CVE-2020-16127. Those can be used to actually make the AccountService call timeout and trigger this issue. We are not aware of such issues in Red Hat products.