CVE-2019-12749

dbus: DBusServer DBUS_COOKIE_SHA1 authentication bypass

Severity Score

7.1

*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

dbus before 1.10.28, 1.12.x before 1.12.16, and 1.13.x before 1.13.12, as used in DBusServer in Canonical Upstart in Ubuntu 14.04 (and in some, less common, uses of dbus-daemon), allows cookie spoofing because of symlink mishandling in the reference implementation of DBUS_COOKIE_SHA1 in the libdbus library. (This only affects the DBUS_COOKIE_SHA1 authentication mechanism.) A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause a DBusServer with a different uid to read and write in unintended locations. In the worst case, this could result in the DBusServer reusing a cookie that is known to the malicious client, and treating that cookie as evidence that a subsequent client connection came from an attacker-chosen uid, allowing authentication bypass.

dbus anterior a versión 1.10.28, versión 1.12.x anterior a 1.12.16, y versión 1.13.x anterior a 1.13.12, como es usado en DBusServer en Canonst Upstart en Ubuntu versión 14.04 (y en algunos usos menos comunes de demonio dbus), permite suplantación de identidad de cookie debido al manejo inapropiado de enlaces simbólicos (symlink) en la implementación de referencia de DBUS_COOKIE_SHA1 en la biblioteca libdbus. (Esto solo afecta el mecanismo de autenticación DBUS_COOKIE_SHA1). Un cliente malicioso con acceso de escritura a su propio directorio de inicio podría manipular un enlace simbólico ~/.dbus-keyrings para hacer que un DBusServer con un uid diferente lea y escriba en ubicaciones no deseadas. En el peor de los casos, esto podría hacer que DBusServer reutilice una cookie que es conocida por el cliente malicioso, y tratar esa cookie como evidencia de que una conexión de cliente subsiguiente provino de un uid elegido por el atacante, lo que permite la omisión de autenticación.

A flaw was found in dbus. The implementation of DBUS_COOKIE_SHA1 is susceptible to a symbolic link attack. A malicious client with write access to its own home directory could manipulate a ~/.dbus-keyrings symlink to cause the DBusServer to read and write in unintended locations resulting in an authentication bypass. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

*Credits: N/A

CVSS Scores

Attack Vector

Local

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Attack Vector

Local

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Local

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2019-06-06 CVE Reserved
2019-06-11 CVE Published
2024-06-04 EPSS Updated
2024-08-04 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-59: Improper Link Resolution Before File Access ('Link Following')
CWE-287: Improper Authentication

CAPEC

References (19)

URL	Tag	Source
http://www.openwall.com/lists/oss-security/2019/06/11/2	Mailing List
http://www.securityfocus.com/bid/108751	Vdb Entry
https://lists.debian.org/debian-lts-announce/2019/06/msg00005.html	Mailing List
https://seclists.org/bugtraq/2019/Jun/16	Mailing List
https://www.openwall.com/lists/oss-security/2019/06/11/2	Mailing List

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00059.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00092.html	2023-11-07
http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00026.html	2023-11-07
https://access.redhat.com/errata/RHSA-2019:1726	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2868	2023-11-07
https://access.redhat.com/errata/RHSA-2019:2870	2023-11-07
https://access.redhat.com/errata/RHSA-2019:3707	2023-11-07
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/V2CQF37O73VH2JDVX2ILX2KD2KLXLQOU	2023-11-07
https://security.gentoo.org/glsa/201909-08	2023-11-07
https://usn.ubuntu.com/4015-1	2023-11-07
https://usn.ubuntu.com/4015-2	2023-11-07
https://www.debian.org/security/2019/dsa-4462	2023-11-07
https://access.redhat.com/security/cve/CVE-2019-12749	2021-03-22
https://bugzilla.redhat.com/show_bug.cgi?id=1719344	2021-03-22

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Freedesktop Search vendor "Freedesktop"		Dbus Search vendor "Freedesktop" for product "Dbus"				< 1.10.28 Search vendor "Freedesktop" for product "Dbus" and version " < 1.10.28"		-		Affected
Freedesktop Search vendor "Freedesktop"		Dbus Search vendor "Freedesktop" for product "Dbus"				>= 1.12.0 < 1.12.16 Search vendor "Freedesktop" for product "Dbus" and version " >= 1.12.0 < 1.12.16"		-		Affected
Freedesktop Search vendor "Freedesktop"		Dbus Search vendor "Freedesktop" for product "Dbus"				>= 1.13.0 < 1.13.12 Search vendor "Freedesktop" for product "Dbus" and version " >= 1.13.0 < 1.13.12"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				16.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "16.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.04"		lts		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				18.10 Search vendor "Canonical" for product "Ubuntu Linux" and version "18.10"		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				19.04 Search vendor "Canonical" for product "Ubuntu Linux" and version "19.04"		-		Affected