Bug 1901994 (CVE-2020-16125) - CVE-2020-16125 gdm: inability to timely contact accountservice via dbus leads gnome-initial-setup to creation of account with admin privileges
Summary: CVE-2020-16125 gdm: inability to timely contact accountservice via dbus leads...
Alias: CVE-2020-16125
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1901995 1902261 1910524 1918391
Blocks: 1901996
TreeView+ depends on / blocked
Reported: 2020-11-26 14:56 UTC by Marian Rehak
Modified: 2022-04-17 21:03 UTC (History)
8 users (show)

Fixed In Version: gdm-3.36.2 gdm-3.38.2
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in GDM. If gdm can't contact the AccountService service via DBus in a timely manner it would default to assume there are no existing users and would allow the attacker to create a new user with high privileges.
Clone Of:
Last Closed: 2021-10-28 10:29:57 UTC

Attachments (Terms of Use)

Description Marian Rehak 2020-11-26 14:56:14 UTC
gdm3 versions before 3.36.2 or 3.38.2 would start gnome-initial-setup if gdm3 can't contact the accountservice service via dbus in a timely manner; on Ubuntu (and potentially derivatives) this could be be chained with an additional issue that could allow a local user to create a new privileged account.

External Reference:


Comment 1 Marian Rehak 2020-11-26 14:56:32 UTC
Created gdm tracking bugs for this issue:

Affects: fedora-all [bug 1901995]

Comment 3 Riccardo Schirone 2020-11-27 13:22:35 UTC
To exploit this issue an attacker would require another flaw in accounts-daemon or be able to somehow block dbus services from working properly. For this reason its impact was determined to be Low.

Comment 4 Riccardo Schirone 2020-11-27 13:24:58 UTC
By default GDM assumes that no users exist on the system and it calls AccountService service through DBus to check if that's true or not. However, in case something goes wrong with the DBus call, the default value would not be changed and an utility to configure a new admin user is called. For this reason, if a physical attacker can somehow stop the DBus call he would be able to trick GDM into running the utility and create a new admin user.

Comment 5 Riccardo Schirone 2020-11-27 14:08:26 UTC
Ubuntu runs a particular version of accounts-daemon with specific patches that makes it vulnerable to a Denial of Service attack. See CVE-2020-16126 and CVE-2020-16127. Those can be used to actually make the AccountService call timeout and trigger this issue. We are not aware of such issues in Red Hat products.

Note You need to log in before you can comment on or make changes to this bug.