Bug 1173555 – CVE-2014-7824 dbus: local denial of service via incomplete fix for CVE-2014-3636

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1173555 - (CVE-2014-7824) CVE-2014-7824 dbus: local denial of service via incomplete fix for CVE-2014-3636

Summary:	CVE-2014-7824 dbus: local denial of service via incomplete fix for CVE-2014-3636

Status:	CLOSED NOTABUG

Aliases:	CVE-2014-7824

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20141110,reported=2...
Keywords:	Security

Depends On:	1173556 1173557 1173558
Blocks:	1140534 1160627
	Show dependency tree / graph

Reported:	2014-12-12 07:12 EST by Vasyl Kaigorodov
Modified:	2016-06-13 08:11 EDT (History)
CC List:	8 users (show)

See Also:
Fixed In Version:	dbus 1.6.26, dbus 1.8.10, dbus 1.9.2
Doc Type:	Bug Fix
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:	2014-12-12 18:32:21 EST
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
0001-DBusSystemLogSeverity-add-DBUS_SYSTEM_LOG_WARNING.patch (2.80 KB, patch) 2014-12-12 07:16 EST, Vasyl Kaigorodov	no flags	Details \| Diff
0002-Set-fd-rlimit-to-64k-for-the-system-dbus-daemon.patch (12.35 KB, patch) 2014-12-12 07:16 EST, Vasyl Kaigorodov	no flags	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Vasyl Kaigorodov 2014-12-12 07:12:07 EST

The patch issued by the D-Bus maintainers for CVE-2014-3636 was based on
incorrect reasoning, and does not fully prevent the attack described as
"CVE-2014-3636 part A", which is repeated below. Preventing that attack
requires raising the system dbus-daemon's RLIMIT_NOFILE (ulimit -n) to a
higher value.

To avoid propagating that higher limit to activatable system services,
it is desirable to start the system dbus-daemon as root so it can store
its previous limit, raise its limit, drop root privileges (which its
default configuration will do automatically), and restore the previous
limit before launching activatable services. Some operating system
distributions, such as anything using the upstream-supplied systemd
units, start the system dbus-daemon as root already; others, such as
Debian 7, currently start the system dbus-daemon under its less
privileged uid and will need minor modifications to their init scripts.

Suggested patches are attached. Patch 0001 is not strictly required, but
if it is skipped, it will be necessary to replace each occurrence of
DBUS_SYSTEM_LOG_WARNING with DBUS_SYSTEM_LOG_INFO in patch 0002.

Attack details (repeating CVE-2014-3636 part A):

By queuing up the maximum allowed number of fds, a malicious sender
could reach the system dbus-daemon's RLIMIT_NOFILE (ulimit -n, typically
1024 on Linux). This would act as a denial of service in two ways:

* new clients would be unable to connect to the dbus-daemon
* when receiving a subsequent message from a non-malicious client that
  contained a fd, dbus-daemon would receive the MSG_CTRUNC flag,
  indicating that the list of fds was truncated; kernel fd-passing APIs
  do not provide any way to recover from that, so dbus-daemon responds
  to MSG_CTRUNC by disconnecting the sender, causing denial of service
  to that sender

Comment 1 Vasyl Kaigorodov 2014-12-12 07:13:27 EST

Created dbus tracking bugs for this issue:

Affects: fedora-all [bug 1173556]

Comment 2 Vasyl Kaigorodov 2014-12-12 07:13:30 EST

Created mingw-dbus tracking bugs for this issue:

Affects: fedora-all [bug 1173557]
Affects: epel-7 [bug 1173558]

Comment 3 Vasyl Kaigorodov 2014-12-12 07:16:16 EST

Created attachment 967617 [details]
0001-DBusSystemLogSeverity-add-DBUS_SYSTEM_LOG_WARNING.patch

Comment 4 Vasyl Kaigorodov 2014-12-12 07:16:57 EST

Created attachment 967618 [details]
0002-Set-fd-rlimit-to-64k-for-the-system-dbus-daemon.patch

Comment 5 Vincent Danen 2014-12-12 09:27:27 EST

Original report to oss-security:

http://www.openwall.com/lists/oss-security/2014/11/10/2

Comment 6 Vincent Danen 2014-12-12 09:29:21 EST

Note that CVE-2014-3636 (bug #1140525) was not previously corrected by any errata.

Comment 7 Vincent Danen 2014-12-12 18:32:21 EST

As no prior Red Hat Enterprise Linux release contains the incorrect fix, they are not affected by this particular CVE.  See bug #1140525 for details.

Comment 8 Fedora Update System 2014-12-13 04:47:46 EST

dbus-1.6.28-1.fc20 has been pushed to the Fedora 20 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 9 Fedora Update System 2014-12-16 23:46:54 EST

dbus-1.8.12-1.fc21 has been pushed to the Fedora 21 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 10 Fedora Update System 2014-12-19 13:26:22 EST

dbus-1.6.28-1.fc19 has been pushed to the Fedora 19 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.