gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 can't contact the accountservice service via dbus in a timely manner; on Ubuntu (and potentially derivatives) this could be be chained with an additional issue that could allow a local user to create a new privileged account. External Reference: https://gitlab.gnome.org/GNOME/gdm/-/issues/642
Created gdm tracking bugs for this issue: Affects: fedora-all [bug 1901995]
Upstream patch: https://gitlab.gnome.org/GNOME/gdm/-/commit/4e6e5335d29c039bed820c43bfd1c19cb62539ff
To exploit this issue an attacker would require another flaw in accounts-daemon or be able to somehow block dbus services from working properly. For this reason its impact was determined to be Low.
By default GDM assumes that no users exist on the system and it calls AccountService service through DBus to check if that's true or not. However, in case something goes wrong with the DBus call, the default value would not be changed and an utility to configure a new admin user is called. For this reason, if a physical attacker can somehow stop the DBus call he would be able to trick GDM into running the utility and create a new admin user.
Ubuntu runs a particular version of accounts-daemon with specific patches that makes it vulnerable to a Denial of Service attack. See CVE-2020-16126 and CVE-2020-16127. Those can be used to actually make the AccountService call timeout and trigger this issue. We are not aware of such issues in Red Hat products.