Bug 1717958 (CVE-2019-14822) - CVE-2019-14822 ibus: missing authorization allows local attacker to access the input bus of another user
Summary: CVE-2019-14822 ibus: missing authorization allows local attacker to access th...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-14822
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1750835 1750836 1751940
Blocks: 1717963
TreeView+ depends on / blocked
 
Reported: 2019-06-06 14:21 UTC by Dhananjay Arunesh
Modified: 2021-02-16 21:51 UTC (History)
10 users (show)

Fixed In Version: ibus 1.5.22
Doc Type: If docs needed, set a value
Doc Text:
A flaw was discovered in ibus that allows any unprivileged user to monitor and send method calls to the ibus bus of another user due to a misconfiguration in the DBus server setup. A local attacker may use this flaw to intercept all keystrokes of a victim user who is using the graphical interface, change the input method engine, or modify other input related configurations of the victim user.
Clone Of:
Environment:
Last Closed: 2020-04-28 16:32:53 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1880 0 None None None 2020-04-28 16:03:10 UTC
Red Hat Product Errata RHSA-2020:3978 0 None None None 2020-09-29 20:17:28 UTC

Description Dhananjay Arunesh 2019-06-06 14:21:01 UTC
ibus uses a GDBusServer with G_DBUS_SERVER_FLAGS_AUTHENTICATION_ALLOW_ANONYMOUS, and doesn't set a GDBusAuthObserver, which allows anyone who can connect to its AF_UNIX socket to authenticate and be authorized to send method calls. It also seems to use an abstract AF_UNIX socket, which does not have filesystem permissions, so the practical effect might be that a local attacker can connect to another user's ibus service and make arbitrary method calls.

Comment 6 Riccardo Schirone 2019-08-29 11:54:40 UTC
An attacker who can access the AF_UNIX socket of another user could use it to monitor all the DBus methods called on the bus or call most available methods without any authorization check. This flaw could be used to intercept all the key strokes of a user connected to the graphical interface (e.g. gnome), change input context and perform other operations regularly done by the ibus command.

Comment 9 Riccardo Schirone 2019-08-30 08:20:37 UTC
Acknowledgments:

Name: Simon McVittie (Collabora Ltd.)

Comment 11 Riccardo Schirone 2019-08-30 14:03:27 UTC
ibus receives the pressed key events only if an ibus Input Method (IM) framework is in use (e.g. Korean from the ibus-hangul package, Chinese input methods from the ibus-libpinyin, etc.), otherwise the Gnome uses other input frameworks (e.g. gtk-im-context-simple). Thus, the ability of an attacker to intercept the pressed keys depends on the Input Method configuration in use by the victim user.

Comment 15 Riccardo Schirone 2019-09-06 09:11:38 UTC
Statement:

Gnome uses the ibus input framework only when the user explicitly configures it or when some input method sources are in use, like Korean from the ibus-hangul package or Chinese input methods from the ibus-libpinyin. Input methods like en-US are not handled by ibus, thus if the victim user just use them the attacker will not be able to intercept the key strokes of that user.

Comment 17 Riccardo Schirone 2019-09-13 07:02:20 UTC
Upstream patch:
https://github.com/ibus/ibus/commit/3d442dbf936d197aa11ca0a71663c2bc61696151

Comment 18 Riccardo Schirone 2019-09-13 07:19:15 UTC
Created ibus tracking bugs for this issue:

Affects: fedora-all [bug 1751940]

Comment 19 Riccardo Schirone 2019-09-13 09:19:24 UTC
oss-security email:
https://www.openwall.com/lists/oss-security/2019/09/13/1

Comment 20 errata-xmlrpc 2020-04-28 16:03:09 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1880 https://access.redhat.com/errata/RHSA-2020:1880

Comment 21 Product Security DevOps Team 2020-04-28 16:32:53 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14822

Comment 22 errata-xmlrpc 2020-09-29 20:17:27 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3978 https://access.redhat.com/errata/RHSA-2020:3978


Note You need to log in before you can comment on or make changes to this bug.