This service will be undergoing maintenance at 00:00 UTC, 2016-08-01. It is expected to last about 1 hours
Bug 469151 - (CVE-2008-4311) CVE-2008-4311 dbus: incorrect use of [send|receive]_requested_reply policy rule attribute in system.conf
CVE-2008-4311 dbus: incorrect use of [send|receive]_requested_reply policy ru...
Status: CLOSED WONTFIX
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
public=20081205,reported=20081026,sou...
: Security
Depends On: 474895 489875 489877 489878 489879 489884 489886 489894 489899 489953 489955
Blocks:
  Show dependency treegraph
 
Reported: 2008-10-30 05:51 EDT by Tomas Hoger
Modified: 2015-02-17 10:31 EST (History)
12 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2015-02-17 10:31:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
The change I proposed in the upstream bug (1.11 KB, patch)
2008-11-18 04:32 EST, Tomas Hoger
no flags Details | Diff


External Trackers
Tracker ID Priority Status Summary Last Updated
FreeDesktop.org 18229 None None None Never
Debian BTS 503532 None None None Never

  None (edit)
Description Tomas Hoger 2008-10-30 05:51:25 EDT
Joachim Breitner discovered that dbus policy rules with send_requested_reply="true" condition are not evaluated correctly and are also applied to non-reply messages.  This may result in the request message being allowed, even though it should have been denied.  This occurs when service does not specify explicit <deny> rules and relies on the default <deny send_interface="*"/> rule listed in system.conf file that may be overriden by the <allow send_requested_reply="true"/> rule, resulting in a bypass of the intended access restrictions policy.

Note: Most services using system bus seem to specify context="default" deny rules explicitly without relying on the default system bus access policy.

References:
http://bugs.freedesktop.org/show_bug.cgi?id=18229
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503532
Comment 2 Tomas Hoger 2008-10-31 05:26:08 EDT
Brief summary of my upstream comment:
  http://bugs.freedesktop.org/show_bug.cgi?id=18229#c4

Current behaviour seems to comply with the semantics documented in dbus-daemon(1) man page.  Attributes [send|receive]_requested_reply are defined to be ignored for non-reply messages.  Therefore default system.conf configuration file seems to rely on an incorrect assumption that rule:

  <allow send_requested_reply="true"/>

only applies to reply messages, while it's actually <allow/> for non-replies.

We may need to change default system.conf to list:

  <allow send_requested_reply="true" send_type="method_return"/>
  <allow send_requested_reply="true" send_type="error"/>

(and similar for receive_requested_reply)

to make sure rule only applies to intended message types.  Other patches proposed so far change previously defined semantics.
Comment 4 Tomas Hoger 2008-11-12 09:27:35 EST
Another update from the upstream bug:

Restricting rule:

  <allow receive_requested_reply="true"/>

seems to be problematic, as too many applications mistakenly rely on this rule.  Each dbus message is checked against policy two times - first to check if sender is permitted to send the message, second to check if receiver is permitted to receive the message.

So the applications may have all send rules defined correctly, very few have any rules receive rules.
Comment 5 Dan Williams 2008-11-17 11:35:54 EST
Is there a patch for this yet upstream?
Comment 6 Tomas Hoger 2008-11-18 04:32:04 EST
Created attachment 323869 [details]
The change I proposed in the upstream bug
Comment 7 Dan Williams 2008-12-01 12:14:11 EST
Yeah, lets see if davidz can get some upstream comment on it.  I don't feel comfortable putting this into RHEL until we get _somebody_ from upstream to sign off on it.
Comment 11 Tomas Hoger 2008-12-07 05:29:17 EST
Public now via new upstream release 1.2.6:
  http://lists.freedesktop.org/archives/dbus/2008-December/010702.html
Comment 13 Jan Lieskovsky 2008-12-10 06:25:56 EST
From CVE entry:

The default configuration of system.conf in D-Bus (aka DBus) before
1.2.6 omits the send_type attribute in certain rules, which allows
local users to bypass intended access restrictions by (1) sending
messages, related to send_requested_reply; and possibly (2) receiving
messages, related to receive_requested_reply.

Adding other references:
http://lists.freedesktop.org/archives/dbus/2008-December/010702.html
http://www.securityfocus.com/bid/32674
http://www.vupen.com/english/advisories/2008/3355
http://secunia.com/advisories/33047
http://secunia.com/advisories/33055
http://xforce.iss.net/xforce/xfdb/47138
Comment 31 Josh Bressers 2009-09-22 14:58:30 EDT
I am going to defer this issue. The fix is very complicated and the risk outweighs the potential reward. This flaw may be fixed in a future dbus update.
Comment 32 Vincent Danen 2015-02-17 10:31:36 EST
Statement:

Red Hat Enterprise Linux 5 is now in Production 3 Phase of the support and maintenance life cycle. This has been rated as having Moderate security impact and is not currently planned to be addressed in future updates. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.

Note You need to log in before you can comment on or make changes to this bug.