Bug 1719344 (CVE-2019-12749) - CVE-2019-12749 dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass
Summary: CVE-2019-12749 dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-12749
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1725571 1720995 1725570 1725574 1749678 1749679 1749680
Blocks: 1719346
TreeView+ depends on / blocked
 
Reported: 2019-06-11 14:30 UTC by Pedro Sampaio
Modified: 2019-12-03 22:54 UTC (History)
15 users (show)

Fixed In Version: dbus 1.10.28, dbus 1.12.16, dbus 1.13.12
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-07-12 13:07:32 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:4079 None None None 2019-12-03 21:16:55 UTC
Red Hat Product Errata RHSA-2019:1726 None None None 2019-07-10 11:14:04 UTC
Red Hat Product Errata RHSA-2019:2868 None None None 2019-09-23 12:26:47 UTC
Red Hat Product Errata RHSA-2019:2870 None None None 2019-09-23 12:23:21 UTC
Red Hat Product Errata RHSA-2019:3707 None None None 2019-11-05 22:07:49 UTC

Description Pedro Sampaio 2019-06-11 14:30:56 UTC
A flaw was discovered in dbus where the implementation of DBUS_COOKIE_SHA1 is susceptible to a symbolic link attack. A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to read and write in unintended locations. This could result in authentication bypass.

Comment 1 Pedro Sampaio 2019-06-11 14:33:56 UTC
Acknowledgments:

Name: the D-Bus project
Upstream: Joe Vennix (Apple Information Security)

Comment 2 Pedro Sampaio 2019-06-11 23:40:51 UTC
Its public now: https://www.openwall.com/lists/oss-security/2019/06/11/2

Comment 3 Huzaifa S. Sidhpurwala 2019-06-17 05:34:47 UTC
Upstream patch: https://gitlab.freedesktop.org/dbus/dbus/commit/47b1a4c41004bf494b87370987b222c934b19016

Comment 4 Huzaifa S. Sidhpurwala 2019-06-17 05:35:28 UTC
Created dbus tracking bugs for this issue:

Affects: fedora-all [bug 1720995]

Comment 5 Huzaifa S. Sidhpurwala 2019-06-17 05:42:15 UTC
As per upstream:

This is mitigated by the fact that by default, the well-known system dbus-daemon (since 2003) and the well-known session dbus-daemon (in stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1 at an early stage, before manipulating cookies. 

Red Hat Enterprise Linux 7 and 8, both ship dbus >= 1.10 and therefore are affected by this flaw only when system or session dbus-daemons are used under non-standard configurations or by third party users of DBusServer. Either of these use-cases are not applicable to Red Hat Enterprise Linux.

Comment 7 Huzaifa S. Sidhpurwala 2019-06-17 05:42:21 UTC
External References:

https://www.openwall.com/lists/oss-security/2019/06/11/2

Comment 8 Huzaifa S. Sidhpurwala 2019-07-01 06:23:42 UTC
Statement:

This flaw is mitigated by the fact that by default, the well-known system dbus-daemon (since 2003) and the well-known session dbus-daemon (in stable releases since dbus 1.10.0 in 2015) only accept the EXTERNAL authentication mechanism, and as a result will reject DBUS_COOKIE_SHA1 at an early stage, before manipulating cookies. 

Red Hat Enterprise Linux 6 is affected by this flaw, which can be leveraged to achieve privilege escalation via upstart.  This issue has been rated as having important impact for Red Hat Enterprise Linux 6.

Red Hat Enterprise Linux 7 and 8, both ship dbus >= 1.10 and therefore are affected by this flaw only when system or session dbus-daemons are used under non-standard configurations or by third party users of DBusServer.  Red Hat Enterprise Linux 7 and 8 does not ship any affected DBusServer cosumer. However third party applications may be affected.

Comment 10 errata-xmlrpc 2019-07-10 11:14:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2019:1726 https://access.redhat.com/errata/RHSA-2019:1726

Comment 11 Product Security DevOps Team 2019-07-12 13:07:32 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-12749

Comment 13 errata-xmlrpc 2019-09-23 12:23:19 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.5 Advanced Update Support

Via RHSA-2019:2870 https://access.redhat.com/errata/RHSA-2019:2870

Comment 14 errata-xmlrpc 2019-09-23 12:26:46 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6.6 Advanced Update Support

Via RHSA-2019:2868 https://access.redhat.com/errata/RHSA-2019:2868

Comment 15 errata-xmlrpc 2019-11-05 22:07:48 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:3707 https://access.redhat.com/errata/RHSA-2019:3707


Note You need to log in before you can comment on or make changes to this bug.