Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20200604105637.GA275582@espresso.pseudorandom.co.uk>
Date: Thu, 4 Jun 2020 11:56:37 +0100
From: Simon McVittie <smcv@...ian.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2020-12049: dbus: denial of service via file descriptor leak

References: CVE-2020-12049, GHSL-2020-057, dbus#294.

dbus is the reference implementation of D-Bus, a user-space IPC mechanism
originating from freedesktop.org and commonly used on Linux and other
Unix systems.

Kevin Backhouse of the GitHub Security Lab discovered a denial of service
vulnerability[0] in dbus >= 1.3.0. An unprivileged local attacker can cause
the system dbus-daemon (dbus-daemon --system) to leak file descriptors
(fds) by sending messages with a number of fds that exceeds the allowed
number, resulting in truncation. The attacker's connection is (correctly)
disconnected, but the fds that were attached to the truncated message
are (incorrectly) not closed. By repeating this process, the attacker
can make the dbus-daemon reach its RLIMIT_NOFILE limit. When this limit
is reached, new connections will fail, and existing connections will be
unable to send messages with fds attached, causing denial of service.

The same attack is also possible in the uncommon situation where processes
of different privilege levels communicate directly using a private D-Bus
socket (DBusServer) without going via a dbus-daemon.

In the development branch, this has been fixed[1] in version 1.13.16.
Older releases are vulnerable, except where noted below.

In the stable branch 1.12.x, this has been fixed in version 1.12.18.
This is the recommended version of dbus for production use and for
long-term-stable operating systems.

In the old stable branch 1.10.x, this has been fixed in version 1.10.30.
This branch is maintained for the benefit of older long-term-stable
operating systems such as Debian 9, and will reach end-of-life soon[2].

Older stable branches such as 1.8.x have reached end-of-life and will
not receive upstream releases to fix this. Upgrading is recommended.
However, the patch used in supported versions[1] is believed to be
suitable for third-party backports to older releases.

We have received a report[3] that in at least OmniOS (a
Solaris/OpenSolaris/illumos derivative), the solution that was committed
causes a regression due to differences in the behaviour of SCM_RIGHTS
between Linux and OmniOS. This is under investigation. On non-Linux
operating systems such as BSD and Solaris, before deploying a fixed
version, package maintainers should try running the 'test-fdpass'
test case to confirm whether their OS kernel has the Linux-like or
OmniOS-like behaviour. This test-case requires building dbus with the
--enable-modular-tests configure option, with GLib development files
available; GLib is only used for the automated tests, and is not a
dependency of the parts of dbus used in production.

[0] https://gitlab.freedesktop.org/dbus/dbus/-/issues/294
[1] https://gitlab.freedesktop.org/dbus/dbus/-/commit/872b085f12f56da25a2dbd9bd0b2dff31d5aea63
[2] https://lists.freedesktop.org/archives/dbus/2020-June/017873.html
[3] https://gitlab.freedesktop.org/dbus/dbus/-/issues/304

-- 
Simon McVittie, Collabora Ltd. / Debian
dbus security contact:
https://gitlab.freedesktop.org/dbus/dbus/-/blob/master/CONTRIBUTING.md#reporting-security-vulnerabilities

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.