Bug 1849041 (CVE-2020-12049) - CVE-2020-12049 dbus: denial of service via file descriptor leak
Summary: CVE-2020-12049 dbus: denial of service via file descriptor leak
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-12049
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1849042 1851991 1851992 1851994 1851995 1851996 1851997 1860089 1870641 1870642 1889758
Blocks: 1849043
TreeView+ depends on / blocked
 
Reported: 2020-06-19 14:03 UTC by Dhananjay Arunesh
Modified: 2021-02-16 19:49 UTC (History)
20 users (show)

Fixed In Version: dbus 1.13.16, dbus 1.12.18, dbus 1.10.30
Doc Type: If docs needed, set a value
Doc Text:
An uncontrolled resource consumption vulnerability was discovered in D-Bus. The DBusServer leaks file descriptors when a message exceeds the per-message file descriptor limit. This flaw allows a local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket, to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients. As a result, the system may become unusable for other users, and some services may stop working. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2020-07-13 13:27:41 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2020:2903 0 None None None 2020-07-14 10:15:13 UTC
Red Hat Product Errata RHBA-2020:2904 0 None None None 2020-07-14 10:15:44 UTC
Red Hat Product Errata RHBA-2020:2928 0 None None None 2020-07-15 01:00:49 UTC
Red Hat Product Errata RHBA-2020:2929 0 None None None 2020-07-15 01:08:55 UTC
Red Hat Product Errata RHBA-2020:2930 0 None None None 2020-07-15 01:09:32 UTC
Red Hat Product Errata RHBA-2020:2931 0 None None None 2020-07-15 01:10:19 UTC
Red Hat Product Errata RHBA-2020:2932 0 None None None 2020-07-15 01:10:54 UTC
Red Hat Product Errata RHBA-2020:2934 0 None None None 2020-07-15 10:05:08 UTC
Red Hat Product Errata RHBA-2020:2940 0 None None None 2020-07-15 12:27:07 UTC
Red Hat Product Errata RHBA-2020:2949 0 None None None 2020-07-15 13:56:43 UTC
Red Hat Product Errata RHBA-2020:2952 0 None None None 2020-07-15 14:12:01 UTC
Red Hat Product Errata RHBA-2020:2962 0 None None None 2020-07-15 15:22:52 UTC
Red Hat Product Errata RHBA-2020:2963 0 None None None 2020-07-15 15:29:22 UTC
Red Hat Product Errata RHBA-2020:2987 0 None None None 2020-07-16 17:40:41 UTC
Red Hat Product Errata RHBA-2020:2993 0 None None None 2020-07-20 07:06:51 UTC
Red Hat Product Errata RHBA-2020:3080 0 None None None 2020-07-22 00:19:17 UTC
Red Hat Product Errata RHBA-2020:3112 0 None None None 2020-07-22 13:58:16 UTC
Red Hat Product Errata RHBA-2020:3124 0 None None None 2020-07-23 10:42:54 UTC
Red Hat Product Errata RHBA-2020:3131 0 None None None 2020-07-23 14:09:51 UTC
Red Hat Product Errata RHBA-2020:3132 0 None None None 2020-07-23 14:43:21 UTC
Red Hat Product Errata RHBA-2020:3211 0 None None None 2020-07-29 15:31:11 UTC
Red Hat Product Errata RHBA-2020:3215 0 None None None 2020-07-29 15:37:45 UTC
Red Hat Product Errata RHBA-2020:3278 0 None None None 2020-08-03 13:14:00 UTC
Red Hat Product Errata RHBA-2020:3304 0 None None None 2020-08-04 12:38:41 UTC
Red Hat Product Errata RHBA-2020:3307 0 None None None 2020-08-04 12:35:56 UTC
Red Hat Product Errata RHBA-2020:3444 0 None None None 2020-08-12 13:42:01 UTC
Red Hat Product Errata RHBA-2020:3446 0 None None None 2020-08-12 14:43:16 UTC
Red Hat Product Errata RHBA-2020:3447 0 None None None 2020-08-12 14:43:51 UTC
Red Hat Product Errata RHBA-2020:3448 0 None None None 2020-08-12 14:44:29 UTC
Red Hat Product Errata RHBA-2020:3452 0 None None None 2020-08-12 21:17:03 UTC
Red Hat Product Errata RHBA-2020:3531 0 None None None 2020-08-20 11:02:46 UTC
Red Hat Product Errata RHSA-2020:2894 0 None None None 2020-07-13 11:21:42 UTC
Red Hat Product Errata RHSA-2020:3014 0 None None None 2020-07-21 11:08:36 UTC
Red Hat Product Errata RHSA-2020:3044 0 None None None 2020-07-21 14:33:53 UTC
Red Hat Product Errata RHSA-2020:3298 0 None None None 2020-08-04 07:39:14 UTC

Description Dhananjay Arunesh 2020-06-19 14:03:40 UTC 
An issue was discovered in dbus >= 1.3.0 before 1.12.18. The DBusServer in libdbus, as used in dbus-daemon, leaks file descriptors when a message exceeds the per-message file descriptor limit. A local attacker with access to the D-Bus system bus or another system service's private AF_UNIX socket could use this to make the system service reach its file descriptor limit, denying service to subsequent D-Bus clients.

References:
http://www.openwall.com/lists/oss-security/2020/06/04/3
https://gitlab.freedesktop.org/dbus/dbus/-/issues/294
https://gitlab.freedesktop.org/dbus/dbus/-/tags/dbus-1.10.30
https://gitlab.freedesktop.org/dbus/dbus/-/tags/dbus-1.12.18
https://gitlab.freedesktop.org/dbus/dbus/-/tags/dbus-1.13.16
Comment 1 Dhananjay Arunesh 2020-06-19 14:04:05 UTC 
Created dbus tracking bugs for this issue:

Affects: fedora-all [bug 1849042]
Comment 3 Riccardo Schirone 2020-06-29 14:57:54 UTC 
Upstream fix:
https://gitlab.freedesktop.org/dbus/dbus/-/commit/872b085f12f56da25a2dbd9bd0b2dff31d5aea63
Comment 5 Riccardo Schirone 2020-06-29 15:09:13 UTC 
Function _dbus_read_socket_with_unix_fds() does not close the opened file descriptors when the control data of the message was truncated. This leaks some file descriptors. If multiple file descriptor are leaked, the dbus process can reach its RLIMIT_NOFILE limit enforced by the system, thus when later some service tries to use the bus, DBus is not able to operate properly because it cannot allocate more file descriptors. As DBus is nowadays used by multiple services, the system becomes almost unusable.
Comment 7 Riccardo Schirone 2020-06-29 15:28:39 UTC 
Statement:

This issue did not affect the versions of dbus as shipped with Red Hat Enterprise Linux 5, and 6 as they did not include the vulnerable code.
Comment 8 errata-xmlrpc 2020-07-13 11:21:39 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:2894 https://access.redhat.com/errata/RHSA-2020:2894
Comment 9 Product Security DevOps Team 2020-07-13 13:27:41 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-12049
Comment 11 Chuck Svoboda 2020-07-20 16:28:24 UTC 
How is this closed?  RHEL8 is affected and there is no security advisory.
Comment 12 errata-xmlrpc 2020-07-21 11:08:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:3014 https://access.redhat.com/errata/RHSA-2020:3014
Comment 13 errata-xmlrpc 2020-07-21 14:33:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions

Via RHSA-2020:3044 https://access.redhat.com/errata/RHSA-2020:3044
Comment 16 errata-xmlrpc 2020-08-04 07:39:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2020:3298 https://access.redhat.com/errata/RHSA-2020:3298
Note You need to log in before you can comment on or make changes to this bug.